Overview

overview

10

Static

static

10

d92866420d...ea.exe

windows7-x64

10

d92866420d...ea.exe

windows10-2004-x64

10

d986bd8230...2e.exe

windows7-x64

7

d986bd8230...2e.exe

windows10-2004-x64

7

d9a7a84e51...74.exe

windows7-x64

10

d9a7a84e51...74.exe

windows10-2004-x64

10

d9cf29b555...3f.exe

windows7-x64

10

d9cf29b555...3f.exe

windows10-2004-x64

10

d9d8ce72be...b6.exe

windows7-x64

10

d9d8ce72be...b6.exe

windows10-2004-x64

10

da04c1cc45...42.exe

windows7-x64

10

da04c1cc45...42.exe

windows10-2004-x64

10

da2ab0267a...4d.exe

windows7-x64

7

da2ab0267a...4d.exe

windows10-2004-x64

10

da4889c628...ff.exe

windows7-x64

10

da4889c628...ff.exe

windows10-2004-x64

10

da73f61369...a3.exe

windows7-x64

10

da73f61369...a3.exe

windows10-2004-x64

10

dadf12489e...10.exe

windows7-x64

10

dadf12489e...10.exe

windows10-2004-x64

10

dae2049164...df.exe

windows7-x64

10

dae2049164...df.exe

windows10-2004-x64

10

db06d80b63...7f.exe

windows7-x64

10

db06d80b63...7f.exe

windows10-2004-x64

10

db0b5b8185...a6.exe

windows7-x64

7

db0b5b8185...a6.exe

windows10-2004-x64

7

db34bce8df...eb.exe

windows7-x64

6

db34bce8df...eb.exe

windows10-2004-x64

6

db41218c5e...fd.exe

windows7-x64

1

db41218c5e...fd.exe

windows10-2004-x64

1

db547399ad...cd.exe

windows7-x64

10

db547399ad...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dadf12489ed76150718a6ef93c7fe010.exe

  • Size

    5.9MB

  • MD5

    dadf12489ed76150718a6ef93c7fe010

  • SHA1

    1895e40361a27955832e7bc518359440fb716236

  • SHA256

    3769933e54a8e2c3df8af84017b52a270b5307cea7df0386d860214bb9fda3eb

  • SHA512

    4edfdc0b1231d4c757ada0f66711fafb13f812e9c8cc0b10efd41f514732a3ab6607a5403ea2b1c711758a72964ef9cc9cd962e7a5ad0be0356b339677cc9c94

  • SSDEEP

    98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4/:ByeU11Rvqmu8TWKnF6N/1wG

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 40 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 15 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 15 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\dadf12489ed76150718a6ef93c7fe010.exe
    "C:\Users\Admin\AppData\Local\Temp\dadf12489ed76150718a6ef93c7fe010.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InDilzWBgx.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2036
        • C:\Users\Admin\AppData\Local\Temp\dadf12489ed76150718a6ef93c7fe010.exe
          "C:\Users\Admin\AppData\Local\Temp\dadf12489ed76150718a6ef93c7fe010.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yX5OxKdcmS.bat"
            4⤵
              PID:2052
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                5⤵
                  PID:688
                • C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe
                  "C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe"
                  5⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2912
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bb80b17-2785-487b-a5f2-3d2a7efdd779.vbs"
                    6⤵
                      PID:2024
                      • C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe
                        "C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe"
                        7⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2400
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\354a6cc4-f0f3-4d85-ae6f-b2a5323a0629.vbs"
                          8⤵
                            PID:1880
                            • C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe
                              "C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe"
                              9⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2000
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f534722f-16b6-4948-8155-3011d6b3582a.vbs"
                                10⤵
                                  PID:2088
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7c7c72a-29a1-4b0d-88f5-e931148c177b.vbs"
                                  10⤵
                                    PID:332
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ec525f-d4b4-470f-a7ab-02a8645bd5b4.vbs"
                                8⤵
                                  PID:3020
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0da01b51-317b-4d8e-976e-3fe9ad83edfd.vbs"
                              6⤵
                                PID:2100
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2088
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2896
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2884
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3040
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2240
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2128
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Videos\taskhost.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1728
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\taskhost.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2352
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\taskhost.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1608
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:676
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1656
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1216
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2860
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2436
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1224
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2020
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2096
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1100
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:688
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1320
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2980
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\WmiPrvSE.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2620
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2656
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2764
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2556
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:380
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2460
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\explorer.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2820
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2800
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2552
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3000
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2844
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2192
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe'" /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1600
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1436
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
                      1⤵
                      • DcRat
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2828

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Google\Chrome\Application\SetupMetrics\smss.exe
                      Filesize

                      5.9MB

                      MD5

                      dadf12489ed76150718a6ef93c7fe010

                      SHA1

                      1895e40361a27955832e7bc518359440fb716236

                      SHA256

                      3769933e54a8e2c3df8af84017b52a270b5307cea7df0386d860214bb9fda3eb

                      SHA512

                      4edfdc0b1231d4c757ada0f66711fafb13f812e9c8cc0b10efd41f514732a3ab6607a5403ea2b1c711758a72964ef9cc9cd962e7a5ad0be0356b339677cc9c94

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\0da01b51-317b-4d8e-976e-3fe9ad83edfd.vbs
                      Filesize

                      504B

                      MD5

                      014804ec2213d8809969e09e822dc88d

                      SHA1

                      7b343df25afe981840c00534825507640c9e969b

                      SHA256

                      11d77d72551551a6f0d94780e48105c780ca76bf362f623f1ba3ba6394a7918c

                      SHA512

                      d1b84c066ba6718bdbbd74df41ff55f56649174d2d4dceb1b70ec7037afc3eeadf01b2f7a8bbb8b1b8679247951736d103781483f2bc19d67e0c718750cc29a0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\354a6cc4-f0f3-4d85-ae6f-b2a5323a0629.vbs
                      Filesize

                      728B

                      MD5

                      12f8e5236c4cf232d10a30c6be5ea0c4

                      SHA1

                      77fad01426dee5ea27751fcc3a90112ddd027078

                      SHA256

                      812f26fe8c9783a6d4fd53ae1d50d3b321ed6f91c99cd41387f04105781e5878

                      SHA512

                      da2a517c56fe2633a1d9dbf25b0256ad56063a0a0294246252a45441cfbba1df4f0209e8f72e21c3f5d7ba8a098e1fb251eaa704a4365956a3c6f0bf837cbe18

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\8bb80b17-2785-487b-a5f2-3d2a7efdd779.vbs
                      Filesize

                      728B

                      MD5

                      68bc614924c7fbc26c25dbecdc0dee44

                      SHA1

                      85ac74e7427385a0142d43fe98308b675ef0cbe6

                      SHA256

                      054a80119ceb641609e881378e56b979c682399ea367b77c6fb881e65502aae4

                      SHA512

                      908e63cd98a8c184d815ce57ad8cd2a50a4563f021ab4e61add0a65c51c7e22a7757fc1e638ee9cb4270c0db70d03f1c883c6e4bd0091ee312f54683f77e041a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\InDilzWBgx.bat
                      Filesize

                      235B

                      MD5

                      5b90d198d21faa0f8541023540da069f

                      SHA1

                      5bf74ced90f9e2ed5187895f144193442048e91a

                      SHA256

                      f0a0afa4160754053298ca821d929e43f9ab2df955b211b6f670f78f94d150ee

                      SHA512

                      15cee0c35c7c29aa65e47ea9bf75e09b67248854e23ab9211c31f48503b36051ebe5e6cc2d765372505648d6fb19411790b34a01127a1913ccc5f1774c4b6193

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\f534722f-16b6-4948-8155-3011d6b3582a.vbs
                      Filesize

                      728B

                      MD5

                      cbaef4d6c55fe8da2af74bf331021c5f

                      SHA1

                      534e150c51d21ee94cacf4192d8ead3b99a1a3ac

                      SHA256

                      71566234eed3d280b0df39bd97906ee944e77bb40c3db8ae7bc1032ff7c18239

                      SHA512

                      071df1596f60a9f86d575a3256600ec8745fb961f30c022d6410819c9d6e0f37c43e0c1317da57f374c8bdb7591383403b9cbbddb4623c8e475fac9b5d3aa636

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\yX5OxKdcmS.bat
                      Filesize

                      217B

                      MD5

                      52e60b2975f6741962e8c878cbc081f1

                      SHA1

                      01102559f9dd7657748ddc31369f8ebab8004960

                      SHA256

                      fad41b79ffb5cb9e0c30751b18e6bc2e5439805bfdb214673279ec43324c2c32

                      SHA512

                      ded79903cc8874c8634cd0e42b2360c93c679670920c2cf40834b08c175338cf8b8272d545835d594e758753076b6cd299a8cfc35f9748830cfcc091e6188812

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      0d490ffa5b446f92d165af29d8023b9d

                      SHA1

                      03f321c251636998504e215c8e190d9d04ac3463

                      SHA256

                      ad53fb1c9f27653263e79185c1bc93f2847a6b557f71a402a8306f9443241a22

                      SHA512

                      e5c8b72d1641c2e19a1b032026d656f36d5a3480a0d42376fc469f85211e1bc0d925118a892d6f9c24f2d2dc059a3d6611e708f49e0c40c505d30dff4366e183

                      Download Submit

                    • C:\Users\Default\Videos\taskhost.exe
                      Filesize

                      5.9MB

                      MD5

                      3f61b7b4247c47a94fd43bed9aec41a5

                      SHA1

                      0e0b93bf8d230e3601582709e1e456bc036b990b

                      SHA256

                      8f052a5b74d666b8aa94cec48532dbf5a24323ea0e9c6c5dcdfb759be0a01777

                      SHA512

                      08c8c73e6c125b8934e3d9587d237de86d6333a6e8e619d9722341c1f744305be7b3f8fb76f034c06059b5188e43d680f40e00ef4bd7a0e57157a0fb5e988b97

                      Download Submit

                    • C:\Users\Public\Favorites\dwm.exe
                      Filesize

                      5.9MB

                      MD5

                      92b2a45d54f8c10c66422bfa4a8ea46e

                      SHA1

                      a82401bb844436601f7e448ae58ea9d006b404af

                      SHA256

                      6a8cf517044ca2fa67e2fce13a79cfa7284172b817b55e0d3d469f2995f73401

                      SHA512

                      f42e9519ba5fc72f98f8ad60061767f15d1e816fd0631f46ad0d1efb1517df3d42374a76961bf708e612da55db0b1864d1e6f05bec2cc0c2f800a5b8fc8117a1

                      Download Submit

                    • memory/556-180-0x0000000001290000-0x0000000001B88000-memory.dmp

                      Filesize

                      9.0MB

                      Download

                    • memory/556-182-0x0000000000600000-0x0000000000612000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/556-183-0x0000000000AF0000-0x0000000000B46000-memory.dmp

                      Filesize

                      344KB

                      Download

                    • memory/556-184-0x0000000001070000-0x0000000001082000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/716-128-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/944-126-0x000000001B6B0000-0x000000001B992000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2000-308-0x0000000000B50000-0x0000000001448000-memory.dmp

                      Filesize

                      9.0MB

                      Download

                    • memory/2400-295-0x0000000000130000-0x0000000000A28000-memory.dmp

                      Filesize

                      9.0MB

                      Download

                    • memory/2692-15-0x0000000000530000-0x0000000000540000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2692-18-0x0000000000550000-0x000000000055C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-21-0x0000000002A00000-0x0000000002A08000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-23-0x0000000002A90000-0x0000000002AA2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2692-24-0x000000001B570000-0x000000001B57C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-25-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-27-0x000000001BA00000-0x000000001BA0C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-26-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-28-0x000000001BA10000-0x000000001BA1C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-29-0x000000001BA30000-0x000000001BA38000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-30-0x000000001BA20000-0x000000001BA2C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-31-0x000000001BAC0000-0x000000001BACA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2692-34-0x000000001BB70000-0x000000001BB7E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2692-33-0x000000001BB60000-0x000000001BB68000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-32-0x000000001BB50000-0x000000001BB5E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2692-35-0x000000001BB80000-0x000000001BB88000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-36-0x000000001BB90000-0x000000001BB9C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-37-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-38-0x000000001BBB0000-0x000000001BBBA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2692-39-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-19-0x0000000000560000-0x0000000000568000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-20-0x0000000000950000-0x000000000095C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-17-0x0000000000900000-0x0000000000956000-memory.dmp

                      Filesize

                      344KB

                      Download

                    • memory/2692-16-0x0000000000540000-0x000000000054A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2692-127-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2692-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2692-14-0x0000000000400000-0x0000000000408000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-13-0x0000000000520000-0x000000000052C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2692-12-0x0000000000490000-0x00000000004A2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2692-11-0x00000000003F0000-0x00000000003F8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-10-0x00000000003D0000-0x00000000003E6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2692-9-0x00000000003B0000-0x00000000003C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2692-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-1-0x0000000000960000-0x0000000001258000-memory.dmp

                      Filesize

                      9.0MB

                      Download

                    • memory/2692-2-0x0000000000130000-0x0000000000131000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2692-7-0x0000000000380000-0x000000000039C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2692-3-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2692-6-0x0000000000370000-0x0000000000378000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2692-5-0x0000000000160000-0x000000000016E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2692-4-0x0000000000150000-0x000000000015E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2780-224-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2780-225-0x00000000021D0000-0x00000000021D8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2912-283-0x00000000003A0000-0x0000000000C98000-memory.dmp

                      Filesize

                      9.0MB

                      Download