Overview

overview

10

Static

static

10

ef198c2bd0...42.exe

windows7-x64

10

ef198c2bd0...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142.exe

  • Size

    984KB

  • MD5

    b6d8aa9bbde0aadb7ded1a4096540fe7

  • SHA1

    5e78b639c6a8ca53f03462c8bc5443429f1982ae

  • SHA256

    ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142

  • SHA512

    d24fb4771bb54f44dfd23505c491eca811aeb4ce14e40204a58849951f9c706e156683f228cb39e7aacb88323eceae8e2e3fb2328188f730aec097c672c0fa55

  • SSDEEP

    12288:MyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgoi:MyErYT+PvXIUln/1GJgoi

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142.exe
    "C:\Users\Admin\AppData\Local\Temp\ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
      "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2384
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3052
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\ja-JP\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\ja-JP\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2120
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2440
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:440
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2088
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2056
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\security\database\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\security\database\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\security\database\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142e" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\Microsoft\Windows\ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Microsoft\Windows\ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142e" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Local\Microsoft\Windows\ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe
    Filesize

    984KB

    MD5

    30d2b2cb7d9bdd3e426d4892e3a74bbf

    SHA1

    53bfc5b25f5f9941de8afe0037e9bba2a8b14e9f

    SHA256

    724bbfe5327e9053c12c4680489cb4482da8b414b26f964fd59bd7edf30715d7

    SHA512

    ef90a08c93d4fc5f2614d424bd5a6f5838252a620c0865bd22da57b30068e9faabd19d3228d215369ff2fcec92fc4dfbcf87bfdabfef526e4ffc2a63c541bd97

    Download Submit

  • C:\Program Files\Java\jre7\bin\services.exe
    Filesize

    984KB

    MD5

    32d9e153f8f275f63f60ab33619c91be

    SHA1

    19ee5efd7a4421e29accc775cab6d3da25ab77f0

    SHA256

    160e9ae2571cbb0b573a4e3d5183e6e56d60d7cf1c3cf3846304bbda9843800c

    SHA512

    565cb867d3e1f0657b9bd5bda4aa90433f3b0872cd1bab9dfcd9e81bb523745c7c833f8183cc2fad50aa02d15f542e7ca408f40e5eea8c699dfec1d196f6db3b

    Download Submit

  • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe
    Filesize

    984KB

    MD5

    6791eb32ec7d3ed0297e7680bbb8b053

    SHA1

    2590c062ce6e50754edf76991514dbfc9381bca0

    SHA256

    d85bdc43e277f2624780c9fb9836ba16d9007fc5d2a844cd4ec91dcef560589f

    SHA512

    99789d777563ad3fa414f41fccd433f018a7bcf12c6d279e19ef37ad8f8b3bc2b87bd4cf376a8e330ec05012cb55b387f8801ec72c27cfe71db1aac1d228fa09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d5bc1709cf3464da02536216d6139dd0

    SHA1

    14a56acba3cbf67c989dd8066dfeee8fa128a718

    SHA256

    78f7b18b8822666c00747932803b808fdd2986bedc88e88336b822043147c446

    SHA512

    4c20b43875fb138be97e3d0a296823d1734a82c6cb46927c4366a959a1b4b141698bceb075bab1cc4527c7c44b8722df64daa2e8261d989f3ab07166b98f1d93

    Download Submit

  • C:\Users\Default\OSPPSVC.exe
    Filesize

    984KB

    MD5

    10cbf8c93717d80b31b1c23f4a34ea98

    SHA1

    82ec6ee0cee1d91f2edc14bc959db50e9097edcf

    SHA256

    d0768db7f22849c2cc9db5516df21f5b31bf60bc433a069678f007f68675725c

    SHA512

    96dcad79d88ff163db4f2d600fb62e97e68fbf35482e7a7f6a8bfa53f082bc2aae5a0c4a6601059889fa0058d7e700e190f577d3dc75b331c78f3ebf0e3336ad

    Download Submit

  • C:\Windows\ehome\ja-JP\csrss.exe
    Filesize

    984KB

    MD5

    b6d8aa9bbde0aadb7ded1a4096540fe7

    SHA1

    5e78b639c6a8ca53f03462c8bc5443429f1982ae

    SHA256

    ef198c2bd03333e40dc6e723bb985f6507bc3e3662f0986a7db6ee0157ea7142

    SHA512

    d24fb4771bb54f44dfd23505c491eca811aeb4ce14e40204a58849951f9c706e156683f228cb39e7aacb88323eceae8e2e3fb2328188f730aec097c672c0fa55

    Download Submit

  • C:\Windows\it-IT\winlogon.exe
    Filesize

    984KB

    MD5

    805e7738fee22296a508a58f7ab4aa71

    SHA1

    bf1f0ca76777bae70b397c7a548ac6000b342704

    SHA256

    0c21d2c6dedcda27d62573985a84d724a30c177dd66a2be1740098c8b6d26c70

    SHA512

    56b2f80abed6816bbecf8d900b1ed90e7675248490c658e6ea433688379f0e532f2ca87ad0b7e5b11dbd0d0c99db47bf7370236579f44cb8964ea0b439315734

    Download Submit

  • memory/1516-273-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2052-7-0x0000000000430000-0x000000000043A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2052-4-0x0000000000250000-0x0000000000258000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2052-10-0x0000000000580000-0x000000000058C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2052-13-0x0000000000850000-0x000000000085C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2052-12-0x0000000000840000-0x000000000084E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2052-11-0x0000000000830000-0x0000000000838000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2052-14-0x0000000000860000-0x000000000086C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2052-17-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2052-8-0x0000000000560000-0x000000000056C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2052-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-6-0x0000000000540000-0x0000000000556000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2052-9-0x0000000000570000-0x000000000057C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2052-192-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-5-0x0000000000420000-0x0000000000430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2052-206-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2052-231-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2052-3-0x0000000000240000-0x000000000024E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2052-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2052-272-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2052-1-0x0000000000890000-0x000000000098C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/2252-275-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2576-274-0x00000000010E0000-0x00000000011DC000-memory.dmp

    Filesize

    1008KB

    Download