Overview

overview

10

Static

static

10

baa24da08c...ad.exe

windows7-x64

10

baa24da08c...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2025 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad.exe

  • Size

    984KB

  • MD5

    c7c936018ed654eb04b5134b6254af77

  • SHA1

    051a69111ace14b75dc7a1efb75d573ded9bf65c

  • SHA256

    baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad

  • SHA512

    72bebc9aadd789ceed81aa7110524fbf841e791af46e5b57b3235d4da6266f19ff608b4fac97b3d397e39b939aa55f671301b30b1a6b7d6d0b709da945a6a6ae

  • SSDEEP

    12288:MyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgoJ:MyErYT+PvXIUln/1GJgo

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad.exe
    "C:\Users\Admin\AppData\Local\Temp\baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5GpUP4tv5O.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2584
        • C:\Users\All Users\Documents\WMIADAP.exe
          "C:\Users\All Users\Documents\WMIADAP.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaadb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaadb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\en-US\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\en-US\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\csrss.exe
      Filesize

      984KB

      MD5

      d77d185edb3dd7fd5d9c06c0c06a41e0

      SHA1

      76d587c2a7e008b6e560405288c746985cd0f517

      SHA256

      b01f47fedb70a53700cfcd48528e1056cea8cc0643cb57aabbcc466a1f75fe58

      SHA512

      c7a0e29595daf37d853fcb71c01c8c7ecae45b08907160a3a4ea377598d24d449bbe3c916e6a67c6d644acfc84efe5166b8f7844e060881958cc8d18e7cc3b5e

      Download Submit

    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe
      Filesize

      984KB

      MD5

      c7c936018ed654eb04b5134b6254af77

      SHA1

      051a69111ace14b75dc7a1efb75d573ded9bf65c

      SHA256

      baa24da08c1fa8c1493de69e06c6d27479f7bddec69219ae7449ea0831dafaad

      SHA512

      72bebc9aadd789ceed81aa7110524fbf841e791af46e5b57b3235d4da6266f19ff608b4fac97b3d397e39b939aa55f671301b30b1a6b7d6d0b709da945a6a6ae

      Download Submit

    • C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\explorer.exe
      Filesize

      984KB

      MD5

      c20410858900f84229ac5b00e15f6222

      SHA1

      a83d229fedbbae855679d49b2e5b4bcab06bcd7b

      SHA256

      61e936eee6fa5cdbca307ae67a88453eb9e2e5323c8b224edc39b2cc67402749

      SHA512

      2e7a4892f6f04fb87bf326f7dcdbc01748c8529775e8a4d3f9ada82447375de5b05ee67136d1cf0f581323459da0df99a78fe8eb745a29272b05ac844931bd48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5GpUP4tv5O.bat
      Filesize

      205B

      MD5

      ff1441d6c42fe43aca518dceeb9660b0

      SHA1

      bb1d489dd6a2f3ff52216e4bc672221550632ee3

      SHA256

      6ec0c6e919f4d8a67b5de0cd16c184dc430752a0a93a6b1e5cd19980cb41764b

      SHA512

      4704654c426f529de43e8ccb1afa20b867148d2e69b425e8df558ab18acffa8dd1cf8e41091274ed066384e5a877abc88f998e310672b41f98f6f37e02f74f0f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      14b2b383327e692b145ee2248c19c500

      SHA1

      0865db6a8817a4cc189318325afcd720d3557010

      SHA256

      9937998ac4591c70be3e4faf2901bc6d14e96d79a10cae38c7af28a0f6c42613

      SHA512

      c74de34fbd2d989252d0ba56c4ea9effa8da481bc39920690d8b6a659be07f1abe7c2b821e454cfb04bb869fe47b346cc61498fbf3025cb106f230bfcced9414

      Download Submit

    • memory/976-295-0x0000000000020000-0x000000000011C000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/1008-253-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1672-255-0x0000000001F00000-0x0000000001F08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1880-5-0x0000000000770000-0x0000000000780000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1880-7-0x0000000000780000-0x000000000078A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1880-10-0x0000000001FF0000-0x0000000001FFC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1880-12-0x0000000002010000-0x000000000201E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1880-11-0x0000000002000000-0x0000000002008000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1880-13-0x0000000002020000-0x000000000202C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1880-14-0x0000000002030000-0x000000000203C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1880-15-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1880-8-0x0000000001F50000-0x0000000001F5C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1880-9-0x0000000001F60000-0x0000000001F6C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1880-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-200-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-213-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1880-6-0x0000000001F30000-0x0000000001F46000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1880-230-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1880-4-0x0000000000460000-0x0000000000468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1880-3-0x0000000000450000-0x000000000045E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1880-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1880-1-0x0000000000010000-0x000000000010C000-memory.dmp

      Filesize

      1008KB

      Download