Overview

overview

10

Static

static

10

cb45bfa4b2...32.exe

windows7-x64

7

cb45bfa4b2...32.exe

windows10-2004-x64

7

cb48b9ffc8...ab.exe

windows7-x64

10

cb48b9ffc8...ab.exe

windows10-2004-x64

10

cb642e19ad...e6.exe

windows7-x64

7

cb642e19ad...e6.exe

windows10-2004-x64

7

cb64f92875...a6.exe

windows7-x64

7

cb64f92875...a6.exe

windows10-2004-x64

7

cb81b6d0e8...88.exe

windows7-x64

10

cb81b6d0e8...88.exe

windows10-2004-x64

10

cbaee22513...a5.exe

windows7-x64

10

cbaee22513...a5.exe

windows10-2004-x64

10

cbbf316076...27.exe

windows7-x64

1

cbbf316076...27.exe

windows10-2004-x64

1

cbc319d807...7c.exe

windows7-x64

10

cbc319d807...7c.exe

windows10-2004-x64

10

cbe09d8033...e7.exe

windows7-x64

10

cbe09d8033...e7.exe

windows10-2004-x64

10

cbf8cf5e7e...d1.exe

windows7-x64

10

cbf8cf5e7e...d1.exe

windows10-2004-x64

10

cbf9083762...57.exe

windows7-x64

10

cbf9083762...57.exe

windows10-2004-x64

10

cc027f345e...df.exe

windows7-x64

10

cc027f345e...df.exe

windows10-2004-x64

10

cc22848f9c...20.exe

windows7-x64

10

cc22848f9c...20.exe

windows10-2004-x64

10

cc25555aa2...ec.exe

windows7-x64

10

cc25555aa2...ec.exe

windows10-2004-x64

10

cc52f061bf...a0.exe

windows7-x64

6

cc52f061bf...a0.exe

windows10-2004-x64

6

cc609db84e...1e.exe

windows7-x64

7

cc609db84e...1e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf9083762908e0056a1584ad1df9457.exe

  • Size

    5.9MB

  • MD5

    cbf9083762908e0056a1584ad1df9457

  • SHA1

    0baab27622e89f104420a8f28b43eed94b3b922d

  • SHA256

    ecaf5a16ff5d2163193af68382c1539e94013e2965c331dcfe4c1111d2f7f4ab

  • SHA512

    07dae15db1ea7d296d66187ef022a64f46057f57982e3124cad47e54f408caf40a3a87a41981a6916eac50705e68c1b65a2b18b202e0c171a7ef0204403aabca

  • SSDEEP

    98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:RyeU11Rvqmu8TWKnF6N/1wO

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbf9083762908e0056a1584ad1df9457.exe
    "C:\Users\Admin\AppData\Local\Temp\cbf9083762908e0056a1584ad1df9457.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Users\All Users\Templates\OSPPSVC.exe
      "C:\Users\All Users\Templates\OSPPSVC.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3048
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bc69aa2-d6b2-403a-9da8-f4658e3698d9.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Users\All Users\Templates\OSPPSVC.exe
          "C:\Users\All Users\Templates\OSPPSVC.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2624
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaa66ef3-1085-4335-83c8-58ea392287a7.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Users\All Users\Templates\OSPPSVC.exe
              "C:\Users\All Users\Templates\OSPPSVC.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1960
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1645efbe-6237-4d9e-99ad-a58e6377a5f3.vbs"
                7⤵
                  PID:1600
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd01e23-4fa8-4663-93ed-64399ae97f02.vbs"
                  7⤵
                    PID:1668
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636ef119-f9d0-4ec5-91b7-914c1b0fbf6d.vbs"
                5⤵
                  PID:1768
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240ab661-095a-48a1-938f-6bcd77d2ad37.vbs"
              3⤵
                PID:2212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'" /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1784
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Pictures\Idle.exe'" /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\zh-CN\WMIADAP.exe'" /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1280
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\SysWOW64\zh-CN\WMIADAP.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\zh-CN\WMIADAP.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2792
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\MSDTC\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\MSDTC\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\MSDTC\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cbf9083762908e0056a1584ad1df9457c" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cbf9083762908e0056a1584ad1df9457.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cbf9083762908e0056a1584ad1df9457" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cbf9083762908e0056a1584ad1df9457.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cbf9083762908e0056a1584ad1df9457c" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cbf9083762908e0056a1584ad1df9457.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2088
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:328
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\system\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1608
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2464
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1764
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1080
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2196
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2232
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2300
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2364
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:320

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Templates\OSPPSVC.exe
            Filesize

            5.9MB

            MD5

            9f93faaef96cebe9a3eccf8a242c1460

            SHA1

            18e7f18c5071f8c335f5eb711d245df55f41c714

            SHA256

            f5e3cb610e33f6f39d2268b99bc0e7755e92ff1bd8b38f7c35668d17a10ca939

            SHA512

            1534a491842a2a25460971b16ac6a43b4c6a100f804a8970f0374cd43eb3f28a92548feb4bc58a180a52894ccb0f6d7c39983753ecebc3f1fd7f5ad3c560cbf0

            Download Submit

          • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\RCXDCC4.tmp
            Filesize

            5.9MB

            MD5

            e41f9541865670f91aa7ad2e2403fd99

            SHA1

            89b93252af70d58938aa042ff11a5fc8c0710740

            SHA256

            516d7a3435baa1e42a45c70721ae8bb3794d60fad7580736780320caf450f9c7

            SHA512

            2948fee9108abdb8729c39888ee14ab98099ce793c49c42165bc3952bd54040f47a433e05fe120b8f7ab5b887187000923d526aadb470d977b90284efed057f3

            Download Submit

          • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
            Filesize

            5.9MB

            MD5

            8f7df089a5808e6bbbc7b1896056ee8d

            SHA1

            8a57edab6190259811f1f85af9aecdd159b82888

            SHA256

            a6a9cc2e79084a6c4d5f896328ff336e2589e37b7e395568143e45f9be09fbe6

            SHA512

            56733a0d325e3538262244aab074b8bb95363143218780a06b7a8ace5cdb4302bebccdbb1444fc36b594377027357c5a5fffd606b2ae8fa462913b34a630e689

            Download Submit

          • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe
            Filesize

            5.9MB

            MD5

            6a15fcf738fceb64d9a3bc0b11a0c4f8

            SHA1

            5bd85a44374a7c8b269c79901e0171d849292c85

            SHA256

            2a39af6c62030327237fef580c3e76ec2be0e2732095276a0a8c243cca76a19c

            SHA512

            38a497ea1794b3f82c17336d04ee527de84fd47ca086efab01aff95fad00b1316b12c5a4babe575f1d1768a9fde2919b7ea3979d5d67f01946b3e54c148587a4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1645efbe-6237-4d9e-99ad-a58e6377a5f3.vbs
            Filesize

            716B

            MD5

            e9f6ab5c821e625f0fefb21600b75734

            SHA1

            da0dd9b7b41e6e4ae929afb5b2654092225167ba

            SHA256

            391df942f2fa095e65305fe4e8575efdc421272c2fd4d13cad966fdb7c17d747

            SHA512

            f225876092b7b5eae3cd1f11a597c22713cb017587ab2b0dea0fdc702cc1f67dbef5989dfa1fe2a14bec016dd3f7402d6573be41ba2247c6e562ae053e02cf52

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\240ab661-095a-48a1-938f-6bcd77d2ad37.vbs
            Filesize

            492B

            MD5

            2c3c6c43ada72e59b04a12e51d8d1b7b

            SHA1

            440c9d6509ba23017375b4e9ad07acab8b8b2751

            SHA256

            919156a262bb182661bb793a0ab927366a2c72f2f0bdbe5781aa78962f693ea3

            SHA512

            02e2fdc9692c1a729e415e6aa23057b6a90fdbf954383e8d4c88aa47a6793555f92480af0eb74f1d1d3c1633217186fc4ca99db0642a4b1a1b57a6207b802987

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4bc69aa2-d6b2-403a-9da8-f4658e3698d9.vbs
            Filesize

            716B

            MD5

            b684e7f7d8d3ad6a8c34de97be233374

            SHA1

            411e8bc4a4ce7e28e3b8993840e2a2b5b92532ca

            SHA256

            c3d82f0662708b8a284b9d75a0353bf363fe54345e9ffe1021efc588af0d89c8

            SHA512

            1faf8a6ce8acac5c61e2bcdf1e6f23f830c11e15918da8e7164702fb1792c7a557615ba79af7ae58f3ff4702578b4e91c0d6c91a36d48a9dc7ce45f725f5f268

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\eaa66ef3-1085-4335-83c8-58ea392287a7.vbs
            Filesize

            716B

            MD5

            6fdc0e31e8516f523aa5feab258a31cf

            SHA1

            6db03f367961cccc8b132d6d6e389adb827b20ba

            SHA256

            8bb6d1ddb6687c338fe81e46d15d82a62a5721251eaaa463a907fc771e40e7c0

            SHA512

            93f423c18d8a12b449262dd844bcf3f84a02dcca7b2bc309e28e87625a032ac8f3d920e43f21dae207d95b9d5875f6f8628572ca4d334dd0eccbbd2acc3cdf82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            d82f079a563afe6119255742c582ad91

            SHA1

            53eac92981906fa89d9909c5421e95de8256a8ea

            SHA256

            d9c93184c14df71f0ea5fc2b4fea1baff28bfd95d10cc2900a40f86fd27570cd

            SHA512

            f8144f94cda50f80be13c612e58fe267bf2e2dfab4a8f0ac06a6df30dc9c4691f2b56b592dbe928525f4bf8f8573ceafee6cdd237807dfbd07613af2f8d2aaf8

            Download Submit

          • C:\Users\Admin\Pictures\Idle.exe
            Filesize

            5.9MB

            MD5

            c2dbb3f990fa5df50b7ddb8ccb36c3e3

            SHA1

            d98c220133cc79c5590b0539e8c76a96e9bfe696

            SHA256

            f9225600a7bc0adf17fbc282b18d768d52c1c45cf4ac59b7ee6a5e1706334475

            SHA512

            d10ff27f704b9b64e692e66d5603fd7aad0935cb3744605066a1f580382ec66d71714fd2c17fc8677e46b21fe12f4e6ece0c4489faa6966293762d4bbef54133

            Download Submit

          • C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\OSPPSVC.exe
            Filesize

            5.9MB

            MD5

            b7ee712f077f7867a71a5bdfc1b5c981

            SHA1

            14b2a0d62135bccb2d624019fb00cc5dd5166899

            SHA256

            744f18feece5da9451098d0ec5799064b12819bcff8543cb2d8ca1123d626047

            SHA512

            fbc25c0eed7ac5b41fa49803a672bf6acf3dd8db1d840b2fbc37227b5a55a8286a149e7568ee6a6f0bf7e0008cb093ad96beee265ee2cd5e823d4fedf73700d6

            Download Submit

          • C:\Windows\SysWOW64\zh-CN\WMIADAP.exe
            Filesize

            5.9MB

            MD5

            aaa1f811198d70e718a0f9bbc68d8e95

            SHA1

            7c5c2b71ef8f67e8f43950978de948fe91471919

            SHA256

            b15a897a0185cccf230ef5d702698902c1868f4c28348a444f65a3ba118d53fc

            SHA512

            2fe0d312d957da1f7c91123e7dbabd9c2eca9ca05fc4b80061c41544745850581f5973f04005987999f50f9b4b90879b7e8b1c2af1819bf7fffaf350ff2dcf57

            Download Submit

          • C:\Windows\inf\MSDTC\spoolsv.exe
            Filesize

            5.9MB

            MD5

            cbf9083762908e0056a1584ad1df9457

            SHA1

            0baab27622e89f104420a8f28b43eed94b3b922d

            SHA256

            ecaf5a16ff5d2163193af68382c1539e94013e2965c331dcfe4c1111d2f7f4ab

            SHA512

            07dae15db1ea7d296d66187ef022a64f46057f57982e3124cad47e54f408caf40a3a87a41981a6916eac50705e68c1b65a2b18b202e0c171a7ef0204403aabca

            Download Submit

          • memory/1720-23-0x000000001B060000-0x000000001B072000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1720-12-0x0000000002880000-0x0000000002892000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1720-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1720-19-0x000000001B030000-0x000000001B038000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-27-0x000000001B570000-0x000000001B57C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-31-0x000000001B910000-0x000000001B91A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1720-32-0x000000001B920000-0x000000001B92E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1720-34-0x000000001B940000-0x000000001B94E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1720-39-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-38-0x000000001BC90000-0x000000001BC9A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1720-37-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-36-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-35-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-33-0x000000001B930000-0x000000001B938000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-30-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-29-0x000000001B590000-0x000000001B598000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-28-0x000000001B580000-0x000000001B58C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-21-0x000000001B050000-0x000000001B058000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-26-0x000000001B560000-0x000000001B568000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-25-0x000000001B550000-0x000000001B55C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-24-0x000000001B070000-0x000000001B07C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-15-0x0000000002910000-0x0000000002920000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1720-14-0x00000000027D0000-0x00000000027D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-20-0x000000001B040000-0x000000001B04C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-11-0x0000000002780000-0x0000000002788000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-10-0x0000000002860000-0x0000000002876000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1720-8-0x0000000002760000-0x0000000002768000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-18-0x000000001AED0000-0x000000001AEDC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-17-0x000000001AFE0000-0x000000001B036000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1720-16-0x000000001AEC0000-0x000000001AECA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1720-13-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1720-9-0x0000000002770000-0x0000000002780000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1720-217-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1720-6-0x0000000000300000-0x0000000000308000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1720-241-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1720-7-0x0000000000EA0000-0x0000000000EBC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1720-5-0x00000000002F0000-0x00000000002FE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1720-1-0x0000000000320000-0x0000000000C18000-memory.dmp

            Filesize

            9.0MB

            Download

          • memory/1720-2-0x00000000002C0000-0x00000000002C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1720-3-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1720-335-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1720-4-0x00000000002E0000-0x00000000002EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2624-348-0x0000000001130000-0x0000000001A28000-memory.dmp

            Filesize

            9.0MB

            Download

          • memory/2624-350-0x0000000000B30000-0x0000000000B42000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2820-284-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2820-278-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/3048-337-0x000000001AE50000-0x000000001AE62000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3048-310-0x0000000000DC0000-0x00000000016B8000-memory.dmp

            Filesize

            9.0MB

            Download