Overview

overview

10

Static

static

10

f85f3b8395...7N.exe

windows7-x64

10

f85f3b8395...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N.exe

  • Size

    1.7MB

  • MD5

    fb36ea7f9a30d0b4c676dba8549460d0

  • SHA1

    efc07073777b618a13f5ecc625193f151a5e3d30

  • SHA256

    f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437

  • SHA512

    91c0d49c363f427a61ab8f065167d14dc5dca6badf8e8b5a83529ab24cd7344dbb1c82e9b9947e45986b5d5e2f342c6b83245f61e48850f43b4a16710bd87029

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N.exe
    "C:\Users\Admin\AppData\Local\Temp\f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bd2897-cd10-4136-8b69-75ec860698a8.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe
          "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:900
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\907bcb0f-e1dc-4afa-a46c-f6e1c2229f9a.vbs"
        3⤵
          PID:1344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2428
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Favorites\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437Nf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437Nf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437N.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\it-IT\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\MSDTC Bridge 3.0.0.0\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\inf\MSDTC Bridge 3.0.0.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\MSDTC Bridge 3.0.0.0\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\sppsvc.exe
      Filesize

      1.7MB

      MD5

      fb36ea7f9a30d0b4c676dba8549460d0

      SHA1

      efc07073777b618a13f5ecc625193f151a5e3d30

      SHA256

      f85f3b83955fb765d7733f9d99bf3b5eb8494931a9e722730c479edb48ed5437

      SHA512

      91c0d49c363f427a61ab8f065167d14dc5dca6badf8e8b5a83529ab24cd7344dbb1c82e9b9947e45986b5d5e2f342c6b83245f61e48850f43b4a16710bd87029

      Download Submit

    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe
      Filesize

      1.7MB

      MD5

      04b5a2254d6210fcfb14bc220c9b38b1

      SHA1

      5d2230c5e21b04bc3d0318e2dd8e2aa7a86bddd1

      SHA256

      9b4584e98be19c76dced53ce6108de1261c9169591cdd1d57571cb71c8466291

      SHA512

      b479c6d9af9cbe518eec9a4792f8ece8c2a8a39393ed5fb29db19351aa99aa3e6183750b2ffa99be580ae06c9ad54582c2dca86f3dc61ef0433d97429267c5bf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\67bd2897-cd10-4136-8b69-75ec860698a8.vbs
      Filesize

      749B

      MD5

      a22f92d4e0bf6e31e691914985fd75d7

      SHA1

      b68614c1d4946f29a2e9f2d7adefc9a0b178cb46

      SHA256

      46f3b422ac25d2b907b3e5af6acd7933378e92de730661d1e3bfbf8a704bd123

      SHA512

      0fda79d3f6f0395acc5cb9a41f5197e0ff700c893b96e9c01846beae014822a1f8308cc4caa8254a821fc55beb9a5986609dc690eb00e224697c60baab5ed901

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\907bcb0f-e1dc-4afa-a46c-f6e1c2229f9a.vbs
      Filesize

      525B

      MD5

      309f01868cfc5712e52f2f4db89db0a7

      SHA1

      70c8d96dd093b52a86753542528fb7295cf75ddb

      SHA256

      1d31b527efbdb73e04534483d07f26773521e2fd18bec0555ed816eca656faea

      SHA512

      a79ea3930348fd6eb132e75688f5d9c113c2096381af78235c92072e385721e7d984ced7cbd5e60757b5f92f7fa884317155fe94aef3ae04fc57272f91fde486

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      d3057fe5cfe7d05ed8c897463c38fba4

      SHA1

      e812bbea2b071c25782f256790d76ba1c1b1cb59

      SHA256

      f9548f933da0bf6ee11181cbfad600e897b3f8203f041202069c5fdc48352659

      SHA512

      b76c331685c33d94facef1e7ad06d6f9844d427fa4675b948ac4f604c081b17eadb210b9072aed824b53282b243f6cc31236ed0cbf151b9c9a6612d53d0eab7c

      Download Submit

    • C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe
      Filesize

      1.7MB

      MD5

      21325b6acd18a893cc48879da9c48313

      SHA1

      b704cf16d73489a82e8a2c1fa1d80992a8cb78f3

      SHA256

      31a42c059800d4a7d963db2da7bb5a0053b3d5be0793edb686340b33682202ae

      SHA512

      a651f00e694de213b97ad4d58722af55f5ade3bd479cc1749ff8d9900f65720c45970dc144d37f9702c6a6e77204f750b1beadcedf3adbdf6060c8b6782b582d

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • memory/900-328-0x0000000000030000-0x00000000001E6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1236-268-0x000000001B600000-0x000000001B8E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1236-271-0x00000000026A0000-0x00000000026A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2140-8-0x0000000000700000-0x0000000000710000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2140-184-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2140-14-0x0000000000740000-0x000000000074A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2140-13-0x0000000000730000-0x000000000073C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2140-16-0x0000000000760000-0x000000000076C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2140-15-0x0000000000750000-0x0000000000758000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2140-17-0x0000000000770000-0x000000000077C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2140-20-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-10-0x0000000000710000-0x0000000000718000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2140-9-0x00000000006F0000-0x00000000006FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2140-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2140-12-0x0000000000720000-0x000000000072C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2140-208-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-233-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-7-0x00000000006E0000-0x00000000006F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2140-6-0x0000000000640000-0x0000000000656000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2140-5-0x0000000000430000-0x0000000000440000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2140-269-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-4-0x0000000000420000-0x0000000000428000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2140-1-0x0000000000240000-0x00000000003F6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2140-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2140-3-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2632-317-0x0000000000500000-0x0000000000512000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2632-267-0x0000000000C80000-0x0000000000E36000-memory.dmp

      Filesize

      1.7MB

      Download