Overview

overview

10

Static

static

10

25fac6b0d6...a7.exe

windows7-x64

10

25fac6b0d6...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

  • Size

    3.2MB

  • MD5

    8c1a813f52ed5c9f746cc2baea9b421c

  • SHA1

    923f06dd79705fe0957b6efa9b47f8a726e80b08

  • SHA256

    25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

  • SHA512

    b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

  • SSDEEP

    49152:oD+WhPI+P05YhHbpHP1qcdhymFKN/1cCLKtrp8qotx/8jwwpO5:k+WhPIq0iHPEA1W/19LGrBoP9wpO5

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
    "C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\OSPPSVC.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\lsm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxuqwfwIb6.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2164
        • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe
          "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1728
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b0932b3-f471-4ad8-9579-fa01f3586f53.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe
              C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:2980
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65c87377-a9ee-41a0-95aa-743dccebe177.vbs"
            4⤵
              PID:2724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2748
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2612
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2860
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a72" /sc MINUTE /mo 12 /tr "'C:\Users\Public\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7" /sc ONLOGON /tr "'C:\Users\Public\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a72" /sc MINUTE /mo 14 /tr "'C:\Users\Public\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:236
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Landscapes\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\Landscapes\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2288

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe
        Filesize

        3.2MB

        MD5

        8c1a813f52ed5c9f746cc2baea9b421c

        SHA1

        923f06dd79705fe0957b6efa9b47f8a726e80b08

        SHA256

        25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

        SHA512

        b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

        Download Submit

      • C:\Program Files (x86)\Windows Sidebar\es-ES\sppsvc.exe
        Filesize

        3.2MB

        MD5

        dba9993deb91bfb2bb3d0b8ccc944ae1

        SHA1

        41049a0d95723e0473a429f3a67adac8903a8b96

        SHA256

        3c53c13cb3cd9210bb3c2f436c1f6e3a8b7877d7e1fd303e52598d6ddcaba7c3

        SHA512

        bb07cd428e9be03df07b923b5885c174489883467cd6028217a2e096b0e1d84221fd32fae8fd55e68aec18dd191cd18dec61c3ae4bd3b7128923999423971ba7

        Download Submit

      • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe
        Filesize

        3.2MB

        MD5

        a665e22aa25b2f62c5524fc10feb2820

        SHA1

        0f8f6aa96b425633eb11f84aece99ef2f9d67b9e

        SHA256

        d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b

        SHA512

        cbc565fb6b584d5b9720c6bfbebeaf71d4884ea41033fd26cba78a6b3544b39e83e0a5b011c901bbd56f9d509735a0830d18036ef677c43abf6b94eec03cc381

        Download Submit

      • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        Filesize

        3.2MB

        MD5

        93002bc856da2a99faac4e80791643d4

        SHA1

        bb74b3c4d479eb843d1f2a9c51618d80cd5d0378

        SHA256

        2b8b2ea42c924a7fdfbd3e24e906b532b26be884fef30d9f69a9d09dc94d91f8

        SHA512

        fd5b237689c630bf3f0f593f4a2346e6b95b8508d96234124f2c23bc60dabe867e6e25f91491b838ff0e9691b89e8b12dcf06f341fc100fa12d3be4cca3fdfc9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1b0932b3-f471-4ad8-9579-fa01f3586f53.vbs
        Filesize

        737B

        MD5

        82ad3a7267c87a144722a758f4299d8b

        SHA1

        59d85c91acd1753d12354f5fe0db968f2dab3127

        SHA256

        c31825d46d5ac20022b525013d3393992048a78bd22308744734c23de11aed99

        SHA512

        b043bd3c1687c70349d0c0242a3b220026a4f5941520c00730ef773fd918f97fe110abf08d2b94520d67c05b16f0a824808ba81bdf0872d358ff08e667ecc126

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\65c87377-a9ee-41a0-95aa-743dccebe177.vbs
        Filesize

        513B

        MD5

        204e557b765ddfef21a4f47e5807e0cd

        SHA1

        54d7de1822c13074318e469f1cb9a195b2adc03d

        SHA256

        87cbd4400e6709b5595e1b14fa5eb8614d34905eb16726c1af79ef4a69f7bd87

        SHA512

        fc74096377dd776a3a0ecf5c56beee481bd01ed04fd9b7d60b67d276eec77c6b347f90796536c31446ea1cb0f33675494f149bbccaa5c1047866df73f8db4298

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\uxuqwfwIb6.bat
        Filesize

        226B

        MD5

        8a749537d9be2306904db2b322a64af7

        SHA1

        76f8d97dfeac0f8e576400fdb25d592479d32ea1

        SHA256

        58fce0510a6106217af2272d83ec8b7b250475c0e5e1694404c16f0f0927d02c

        SHA512

        26f086758da028b8ed496fa91a75701bcaf1b3d9dde221259e6feab82178b21c1ad98a0bbea6b73887d13f4a5c3ed18196d8584f2d2261ff5ee826629c02c606

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        cfe9a52ea9d86eeadf4fe4d867c560d9

        SHA1

        b85534d597012578eabacba74a16869754f5cbec

        SHA256

        48f2ddccc584368f50912ed726312055f39042109ad0cec162f031d0c7ee9592

        SHA512

        c50838180f76c7c754d226f8fc235fbd2927f023cce47ee11335df22e12f3175b17b4a3f164cdb40738086afa13b03246b2f7d453f3981b2f0fe4e22c0ec3b07

        Download Submit

      • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\OSPPSVC.exe
        Filesize

        3.2MB

        MD5

        03c8832dfebe67b1b80d59cf0efc3242

        SHA1

        03aebcf774124223ed2a82f5f70bb2f6ae7eac36

        SHA256

        0d2baa00b9ef098b65b8216455a0cab1458dc949917953ec1dee716202a78285

        SHA512

        6c9db4b6881714790537b52bb1006e9f3976a6ba4851ad8f72fbb0924e7d342586d9e5366d21c0145010fd4d71adefc97d7f7b0df3e78b21b8c3a9a0919f312e

        Download Submit

      • C:\Users\Public\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
        Filesize

        3.2MB

        MD5

        2fe6154800ccc02606ace0c86adf8995

        SHA1

        030eb12c476689a7afdfc4539b12b58afc96f288

        SHA256

        6ec239b4d8a675e2b78a3415d47cfd343c05f429db532ebe689bb69b6d03ba9d

        SHA512

        a27272bd7e4018aa59f3101a8bb2dfad88e4b74d484849fde5ea6b673e5a22b0a38a24660ac1b90ad97fa0f4bfb042f9055c6b454132fc62e2de018d426d49ee

        Download Submit

      • C:\Windows\Vss\lsm.exe
        Filesize

        3.2MB

        MD5

        9e6c5644a68512c82ca73f2f7df4bed1

        SHA1

        6f422c49f030bca47a526ffa3b92cf53306c630a

        SHA256

        5a61738e00cc4871b070761a1f1ca35da546071112e8b4255045363fd712d832

        SHA512

        ddc9a985a9a711d18dab84e8a1b2074d30de5287848181db9145db75218ff3b77716d906bf4b90c0e4a63d21d6c2819fd59b9392e4f1e8bcfac5a5e02a1eca7c

        Download Submit

      • memory/1728-333-0x0000000000F10000-0x0000000001244000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/1728-334-0x0000000000EC0000-0x0000000000F16000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1748-13-0x0000000001340000-0x0000000001348000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-33-0x000000001B100000-0x000000001B10C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-15-0x0000000001360000-0x0000000001368000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-17-0x0000000001370000-0x0000000001382000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-18-0x00000000013A0000-0x00000000013AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-19-0x00000000013B0000-0x00000000013BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-20-0x000000001ADD0000-0x000000001ADD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-21-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-22-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-23-0x000000001AE10000-0x000000001AE18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-24-0x000000001AE00000-0x000000001AE0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-26-0x000000001AE30000-0x000000001AE3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1748-25-0x000000001AE20000-0x000000001AE2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1748-27-0x000000001AE40000-0x000000001AE48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-28-0x000000001AE50000-0x000000001AE5E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1748-29-0x000000001AE60000-0x000000001AE68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-30-0x000000001B050000-0x000000001B05C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-31-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-32-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1748-14-0x0000000001350000-0x000000000135C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1748-34-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1748-0-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1748-12-0x00000000011F0000-0x0000000001246000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1748-11-0x00000000011D0000-0x00000000011DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1748-9-0x00000000011C0000-0x00000000011C8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-10-0x00000000011E0000-0x00000000011F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1748-194-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1748-8-0x0000000000B40000-0x0000000000B48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-218-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1748-242-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1748-1-0x00000000013C0000-0x00000000016F4000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/1748-7-0x00000000011A0000-0x00000000011B6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1748-2-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1748-260-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1748-6-0x0000000000B30000-0x0000000000B40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1748-5-0x0000000000A00000-0x0000000000A08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1748-4-0x0000000000A90000-0x0000000000AAC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1748-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2148-253-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2148-251-0x000000001B540000-0x000000001B822000-memory.dmp

        Filesize

        2.9MB

        Download