Overview

overview

10

Static

static

10

5e7335d97a...3a.exe

windows7-x64

10

5e7335d97a...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

  • Size

    1.8MB

  • MD5

    5fe5c094a2fd1a198178aa10c5b62307

  • SHA1

    766b36ad58f89249728f8405b893ee104f3a8e6d

  • SHA256

    5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a

  • SHA512

    c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0

  • SSDEEP

    49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
    "C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Users\Default\audiodg.exe
      "C:\Users\Default\audiodg.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1996
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\249b6df2-21a6-456e-b161-3e13dde4fc1d.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Users\Default\audiodg.exe
          C:\Users\Default\audiodg.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1644
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c29f0bc1-3f4f-4dc3-a722-b1388756fe05.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Users\Default\audiodg.exe
              C:\Users\Default\audiodg.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:788
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3777e5-a057-417c-8467-b70252fa034a.vbs"
                7⤵
                  PID:1776
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5379d064-a4f3-4745-a383-39f78eafee5b.vbs"
                  7⤵
                    PID:2816
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c3fd729-3a61-48e3-9ff0-e529ee19264a.vbs"
                5⤵
                  PID:2360
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c4aa5bf-e028-4848-a01a-3ab63740d763.vbs"
              3⤵
                PID:1252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2692
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2960
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3036
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1124
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2872
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:584
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a5" /sc MINUTE /mo 6 /tr "'C:\Users\Public\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a" /sc ONLOGON /tr "'C:\Users\Public\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:784
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a5" /sc MINUTE /mo 14 /tr "'C:\Users\Public\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2144
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2416
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1144
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1284
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1660
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2120
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1680

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Windows Sidebar\spoolsv.exe
            Filesize

            1.8MB

            MD5

            5fe5c094a2fd1a198178aa10c5b62307

            SHA1

            766b36ad58f89249728f8405b893ee104f3a8e6d

            SHA256

            5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a

            SHA512

            c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\249b6df2-21a6-456e-b161-3e13dde4fc1d.vbs
            Filesize

            704B

            MD5

            4d2d9feb571ac3e097b754557c6ea20e

            SHA1

            21df56bcb35b2d0a7698d3b48dfaab7c5c4ae7dd

            SHA256

            378b2e8eedc3b22bebc35de60a5fe4ba6117abdcc87ef18f7da220db9a0f41e0

            SHA512

            04c7b44671ea45c427519fed0314935afd19ed7de4a47bb45395e140763fcfd469d1d0d24b0e7721a4854d250bb615e70c6ddfe07b6f7c2aa230514e9d2f5ff9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7c4aa5bf-e028-4848-a01a-3ab63740d763.vbs
            Filesize

            480B

            MD5

            84757f13c98bedb2bfc73b0cdb57ad46

            SHA1

            fc88e1713bf4f147e3c79e7227cabf7115916d3b

            SHA256

            7b17e4f357a166dbe5fcb160ce1fd2ad1c332067d9f281c6f76f939bc5421bd7

            SHA512

            a5c8e83d6962ca998b53943356fd84bb77674a146c4397663c8ac3a16aba2d535bcf93ae2c5023024e8444689f1af6aa7d6c46fa43e204d23604be668e93f315

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c29f0bc1-3f4f-4dc3-a722-b1388756fe05.vbs
            Filesize

            704B

            MD5

            f1b46e629ff4a0c18827cf9409b9a773

            SHA1

            312332b2dd358a8070110e87f6a3bd3ec48ce8e9

            SHA256

            47d236574c017cbfba7f8f02c22e6afd07fbec7894158dce61b9c2a9ab4deccd

            SHA512

            8cf327da60620fa2f01dd252b5109624bd3a88ee6d8c315d893699665efb15f9331b604d58cf7ff5be07fbb326581a5e60dc1988fdad163035e9ab939e6110a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\cb3777e5-a057-417c-8467-b70252fa034a.vbs
            Filesize

            703B

            MD5

            0b7f7e4bd0602ebc24f6a9916cc9a2da

            SHA1

            f7330f63c8ce5501e454c3615a5f07c560356373

            SHA256

            0bdd95dd747fef4258bb00ad086b57f84d20d3259d9c4b027f1a12097daee8e9

            SHA512

            eeba90ee822b67a073eafb304e65f282a94d6d10af2da48533d5e84607d0971d503ea7287fa29cab9e1672e95c56618f1058c444c437ce01f8b32b116540909a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            f2808ae2dda94d8f375dabb85614589c

            SHA1

            9eeefabfc66bab471b2ad0d59cdafd78b6a60358

            SHA256

            633555de22c8e837356502b8327b58b82deed5f9f9169fe9d1168023677e397c

            SHA512

            5e7993470fe9debdad95e11071cc64732bce70e63590c3570a1dd7156016ed8902be6740655ee4689073a7d5a9b4dbaa851e67bddf3ff901f1750498b9ae8d06

            Download Submit

          • C:\Users\Public\RCX9B9.tmp
            Filesize

            1.8MB

            MD5

            b711c03b455f6ef83126ed59703be24c

            SHA1

            a806f71236855c9cd828c1f16ba0fe2cea2ee2ee

            SHA256

            60790510484112594a6b10f1f7c8339ecaa68217e2075e66faba0214137b966d

            SHA512

            f791ab9a550e4597ad2f1d0048bf2d05a7aa9a2224d940091280b5e8a0469cc59e9b063272a831a02bbf6bcb019503d0badfa3d87c35d28dceddba333d63995a

            Download Submit

          • C:\Windows\it-IT\smss.exe
            Filesize

            1.8MB

            MD5

            6849fde260b4b00d81790d844285969a

            SHA1

            316dc5b56f87a7aa5ceda73fa388c3f567964fb5

            SHA256

            e6b91480c1e5e7a926c4826ccf637df1b857fcb778e4b9ca4f45c528039f5529

            SHA512

            87b764db65038e1e2be641073c1d44ca43ee85e7bad02289c9c373d54f942e24441c4e280523b63ffc29a07853e27d941aa14fd217c2f0248f12df78e809542c

            Download Submit

          • memory/788-253-0x0000000000680000-0x0000000000692000-memory.dmp

            Filesize

            72KB

            Download

          • memory/788-252-0x0000000000330000-0x00000000004FE000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1644-238-0x0000000000280000-0x000000000044E000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1644-240-0x0000000002190000-0x00000000021A2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1644-239-0x0000000000560000-0x0000000000572000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1812-15-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1812-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1812-8-0x00000000004D0000-0x00000000004E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1812-6-0x0000000000490000-0x00000000004A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1812-7-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1812-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1812-134-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1812-153-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1812-1-0x0000000000E60000-0x000000000102E000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1812-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1812-9-0x00000000004B0000-0x00000000004BA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1812-10-0x00000000004C0000-0x00000000004D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1812-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1812-11-0x0000000000640000-0x000000000064A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1812-5-0x00000000003F0000-0x0000000000400000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1812-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1812-14-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1812-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1924-174-0x000000001B550000-0x000000001B832000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1924-176-0x00000000027D0000-0x00000000027D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1996-227-0x0000000000570000-0x0000000000582000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1996-222-0x0000000000330000-0x0000000000342000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1996-148-0x0000000000AD0000-0x0000000000C9E000-memory.dmp

            Filesize

            1.8MB

            Download