Overview

overview

10

Static

static

10

789ff6a462...2d.exe

windows7-x64

10

789ff6a462...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    789ff6a462201360bea02c98b4fb3c2d.exe

  • Size

    984KB

  • MD5

    789ff6a462201360bea02c98b4fb3c2d

  • SHA1

    322228573e2be64daf1ee9118af397dfcbc91bce

  • SHA256

    0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8

  • SHA512

    72517203f735a71d241fb69d55a85315f678dec2f7c02d8b3733e318fe804424cf7079873a296a6e411e2b1364800cc89df45987a8609813f1a64a60b044616e

  • SSDEEP

    12288:gyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo:gyErYT+PvXIUln/1GJgo

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\789ff6a462201360bea02c98b4fb3c2d.exe
    "C:\Users\Admin\AppData\Local\Temp\789ff6a462201360bea02c98b4fb3c2d.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S0tQzFKF2Y.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4028
        • C:\Recovery\WindowsRE\csrss.exe
          "C:\Recovery\WindowsRE\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Pictures\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "789ff6a462201360bea02c98b4fb3c2d7" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\789ff6a462201360bea02c98b4fb3c2d.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "789ff6a462201360bea02c98b4fb3c2d" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\789ff6a462201360bea02c98b4fb3c2d.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "789ff6a462201360bea02c98b4fb3c2d7" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\789ff6a462201360bea02c98b4fb3c2d.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "789ff6a462201360bea02c98b4fb3c2d7" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\789ff6a462201360bea02c98b4fb3c2d.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "789ff6a462201360bea02c98b4fb3c2d" /sc ONLOGON /tr "'C:\Windows\Provisioning\789ff6a462201360bea02c98b4fb3c2d.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "789ff6a462201360bea02c98b4fb3c2d7" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\789ff6a462201360bea02c98b4fb3c2d.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Windows Mail\taskhostw.exe
      Filesize

      984KB

      MD5

      0cafd6d1551bf70f01710c947774a971

      SHA1

      546af2c1622a4574a6e0439c072832c4abe4777f

      SHA256

      3b6665a0a8a6b8878705dd212f80ab71d10cf198b7d132dab8d360bc88a32806

      SHA512

      329cfc51fdbbfeefc252dc2d39feeee117b3863bf438b1f815412e9595ed4f58d009528d7be5fa4d2fc54e2443f9fb79c60bc4235e989534b5e250cbc1404c54

      Download Submit

    • C:\Program Files\Windows NT\fontdrvhost.exe
      Filesize

      984KB

      MD5

      408af4ea243860ae620a51b6ad781156

      SHA1

      4255005c26b94a5b092dccb5afbc2ce4861d194b

      SHA256

      91498d62d073b7f1ac3cc130a08dbb44c91be98819496dd2cc8d9d09f8f482e6

      SHA512

      eafeee3eac695cb14d716943b6eb2b7840b5631b623d5e0508615eab3c54a73a5dab00cd713d6e2bff6c942c366a152c1489f440cdd5c7e8892ff85f0519d6b1

      Download Submit

    • C:\Recovery\WindowsRE\789ff6a462201360bea02c98b4fb3c2d.exe
      Filesize

      984KB

      MD5

      f0eb08fe61034b09eb7b223c672738d8

      SHA1

      2ca1c872ceae3496d76e0b103b63183458ab2c32

      SHA256

      8af17abdbe5de52275e9de1d60186150fd3e1a1e8ce33d3c8be99463c4bce63a

      SHA512

      e13a2236f429178763e91299645188ae49362f0a5701330ef99c071b7add8a6243b3ec1d003c6eb0ac1d967db05f641c88c99661edbddc09542477851153cc07

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      62623d22bd9e037191765d5083ce16a3

      SHA1

      4a07da6872672f715a4780513d95ed8ddeefd259

      SHA256

      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

      SHA512

      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\S0tQzFKF2Y.bat
      Filesize

      196B

      MD5

      a9c34003a92011586206dc918244d9b6

      SHA1

      ddfc832cfce025715f2b72e94a5da4554553f161

      SHA256

      c2423be74dca065d8a8b639a72f28be34d8613db26597975a3138b09eb988dee

      SHA512

      3c980dc9aff041ed841341d97e3fb5571f42319e14665b309540d43235bcb902af5f6c668dc28a962197776d4e31dc4171757e11cf6e5b20bf3396f0942738a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11lj0k0u.pxg.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Public\AccountPictures\sihost.exe
      Filesize

      984KB

      MD5

      bc2f3ee4828cf14ec33134801146f557

      SHA1

      eacb41dd1d02e91afd6221a5be04cad5c4c5463d

      SHA256

      7c361702a3950aad3ccbc281aaa577a1ec4c895370df413dd38b273256a619bc

      SHA512

      a2afa40f1b98d8bd72ebbb9ee53c13f5ec83ce047fadd3fcd73052dc8dcdc426ba9c14db1f44166f153ddb0fdc9eb5ad579581994f6f1ee82c66487c879b2513

      Download Submit

    • C:\Users\Public\Videos\sihost.exe
      Filesize

      984KB

      MD5

      789ff6a462201360bea02c98b4fb3c2d

      SHA1

      322228573e2be64daf1ee9118af397dfcbc91bce

      SHA256

      0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8

      SHA512

      72517203f735a71d241fb69d55a85315f678dec2f7c02d8b3733e318fe804424cf7079873a296a6e411e2b1364800cc89df45987a8609813f1a64a60b044616e

      Download Submit

    • C:\Users\Public\Videos\sihost.exe
      Filesize

      984KB

      MD5

      6e03942dbb3d78402eb0fcbe49a9fa2a

      SHA1

      6ab3291e770f9210ca7ba7b2eaa2cee3e7736630

      SHA256

      dc0008b83eac4b24b9d4068910f2f90524052596a625c3b33e6bd21dc2955683

      SHA512

      e4dacc77eb8fa80894b0624b6fb150670d0d7dafc46894733f4734c4781c48afcfba052151910542673444b3d28b505e7cce0d3406d8c06d7bad1d376ffd3c8c

      Download Submit

    • memory/3268-9-0x0000000002FC0000-0x0000000002FCC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3268-0-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3268-18-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3268-10-0x0000000002FD0000-0x0000000002FDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3268-11-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3268-14-0x0000000003010000-0x000000000301C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3268-99-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3268-13-0x0000000003000000-0x000000000300C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3268-12-0x0000000002FF0000-0x0000000002FFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3268-122-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3268-168-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3268-17-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3268-243-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3268-1-0x0000000000D40000-0x0000000000E3C000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/3268-8-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3268-5-0x0000000002F60000-0x0000000002F70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3268-6-0x0000000002F70000-0x0000000002F86000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3268-7-0x0000000002F90000-0x0000000002F9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3268-4-0x0000000002F50000-0x0000000002F58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3268-3-0x0000000002F40000-0x0000000002F4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3268-2-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4128-258-0x00000225E96F0000-0x00000225E9712000-memory.dmp

      Filesize

      136KB

      Download