Overview

overview

10

Static

static

10

0ce8e2125c...fa.exe

windows7-x64

10

0ce8e2125c...fa.exe

windows10-2004-x64

10

0d08fd5994...a1.exe

windows7-x64

10

0d08fd5994...a1.exe

windows10-2004-x64

10

0d39a7ade0...a9.exe

windows7-x64

10

0d39a7ade0...a9.exe

windows10-2004-x64

10

0d7cbc8822...d3.exe

windows7-x64

10

0d7cbc8822...d3.exe

windows10-2004-x64

10

0da351d641...30.exe

windows7-x64

10

0da351d641...30.exe

windows10-2004-x64

10

0dcb9d68dd...81.exe

windows7-x64

10

0dcb9d68dd...81.exe

windows10-2004-x64

10

0de35a9720...08.exe

windows7-x64

3

0de35a9720...08.exe

windows10-2004-x64

3

0df2367bf9...81.exe

windows7-x64

10

0df2367bf9...81.exe

windows10-2004-x64

10

0df7144ed5...52.exe

windows7-x64

10

0df7144ed5...52.exe

windows10-2004-x64

10

0df97b99ca...e3.exe

windows7-x64

1

0df97b99ca...e3.exe

windows10-2004-x64

4

0e48a47f40...30.exe

windows7-x64

10

0e48a47f40...30.exe

windows10-2004-x64

10

0e820aad5e...54.exe

windows7-x64

10

0e820aad5e...54.exe

windows10-2004-x64

10

0ea0e36c70...d3.exe

windows7-x64

10

0ea0e36c70...d3.exe

windows10-2004-x64

10

0eb27c6385...3a.exe

windows7-x64

10

0eb27c6385...3a.exe

windows10-2004-x64

10

0ee8580c3e...ef.exe

windows7-x64

10

0ee8580c3e...ef.exe

windows10-2004-x64

10

0eed307263...f5.exe

windows7-x64

10

0eed307263...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d39a7ade0eaa19a185fc11508caeba9.exe

  • Size

    920KB

  • MD5

    0d39a7ade0eaa19a185fc11508caeba9

  • SHA1

    5083d9622465c43bc02a1edd71acd1d9ae75270c

  • SHA256

    51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

  • SHA512

    480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

  • SSDEEP

    12288:lANcYfRu9sAPayJk5cz9VBRmWAJXJmn72Rfc/G/BwG5vo5YTJRI1m2h47oJuzlZ4:lAbJwPa3YnGWnSR/uGuFQaRQj/

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe
    "C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W2tbEWSDqo.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1608
        • C:\Users\Admin\Links\Idle.exe
          "C:\Users\Admin\Links\Idle.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "EEFA0d39a7ade0eaa19a185fc11508caeba9" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\it-IT\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "CKuP0d39a7ade0eaa19a185fc11508caeba9" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "gicB0d39a7ade0eaa19a185fc11508caeba9" /sc ONSTART /tr "'C:\Windows\IME\it-IT\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "0d39a7ade0eaa19a185fc11508caeba9" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\it-IT\0d39a7ade0eaa19a185fc11508caeba9.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "DuTelsm" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Yopmlsm" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "BDJrlsm" /sc ONSTART /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "9VTEIdle" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TGOcIdle" /sc ONLOGON /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "UKdsIdle" /sc ONSTART /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "AphWIdle" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dvbCIdle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "5i24Idle" /sc ONSTART /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "FZ6yaudiodg" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "KWW8audiodg" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "NyaDaudiodg" /sc ONSTART /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "LE27csrss" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "UmUacsrss" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "P1Mccsrss" /sc ONSTART /tr "'C:\ProgramData\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Updater6\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2756
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "k01dcsrss" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Microsoft Help\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "NZEzcsrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "bGPJcsrss" /sc ONSTART /tr "'C:\ProgramData\Microsoft Help\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft Help\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "YJrfSystem" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "UPRRSystem" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "QMvvSystem" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hxp5dllhost" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "vha6dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "yESZdllhost" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IzJZexplorer" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "zjjiexplorer" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "I3yeexplorer" /sc ONSTART /tr "'C:\Windows\Logs\DPX\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\DPX\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "leDYcsrss" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "aug5csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "jLWLcsrss" /sc ONSTART /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "imBBdllhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "a7CGdllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ed8cdllhost" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "pVgmsppsvc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ivCXsppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "mW1Bsppsvc" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cMRwIdle" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "CNJ3Idle" /sc ONLOGON /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "AxaqIdle" /sc ONSTART /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "52J5audiodg" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "1GdFaudiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "ElbCaudiodg" /sc ONSTART /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "PL8Olsm" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "EkHhlsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Yqp9lsm" /sc ONSTART /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
      Filesize

      920KB

      MD5

      7ed129847c71263bad6885d936b2e7d4

      SHA1

      13c9319f7b6c81978d49ab452d68bd31088c8b5a

      SHA256

      cdf033b95e23ac2141d2869e1615067b71ee2054faa293d4c1eaca869aeefe8e

      SHA512

      da0c3e6e76692ea56510d734784baa26799b1fcbb9348aa12f99c8651a92cd5c0a805893bfdeb1a5c199a05be3b1c04f48099942377fff217dc77a7d768a45cd

      Download Submit

    • C:\ProgramData\Microsoft Help\lsm.exe
      Filesize

      920KB

      MD5

      302e70ae3225560c8f7df0ce9fc14d13

      SHA1

      f2552a166f9aedc798fc53f02bd575376e412e45

      SHA256

      03ccdfe491d4558628f752d71a471ca6db036eea46a2ba86d0f2ecfcc15b15a4

      SHA512

      f1ad2a1bd22230df1407e5089c0e11386d428cadae889fc5f565e32a918808bbb4143b77a96f75c803f09c5ccad051babeb7d63e5ca8de969b8df44df19b92fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\W2tbEWSDqo.bat
      Filesize

      193B

      MD5

      275a46077366ca08871774bcca4bc67d

      SHA1

      6e65e16a71519ae543d5a0bfd0d7874cfaee0cc5

      SHA256

      8abd0d4c7e95db92bfa69dc1cc2dba4a776625d932ae56098cb4660599ecf073

      SHA512

      22ac587c1af8424e38368b0679b8d49d8f1c60309dae80b3050ae8d82abbff61e3bceeeb2a7a99fd7928eb0d586351cf24243c8ac7c4ec06b56750c4a2f92a11

      Download Submit

    • C:\Users\Admin\Links\Idle.exe
      Filesize

      920KB

      MD5

      db919adb360cbf73db24d7f01e29a09d

      SHA1

      b417644c14b134649f132226ba9fd761b830c2aa

      SHA256

      794b03eae663397da17988310351f4046ac772e18f3f5c4be4d28828e4e5cd74

      SHA512

      4d8d6f0c32c4b262205390a8696b3056033e4f7ee591adba229b7da286ca4b4444782bae934bc3f186af59822f97f2a58fe23d377ae710147389e12bb01f1a27

      Download Submit

    • C:\Users\lsm.exe
      Filesize

      920KB

      MD5

      e366994ffb75f85bdac64392a44335e0

      SHA1

      cef99efa4f2ebbf62e34ee745f0e8b9621c063e8

      SHA256

      0ff09d8470cf16dfab69b6ed62f0d32781259910c7930bd77c9daf70aa7d443d

      SHA512

      5f02f9890a071da4fdff29c3ae37c9e43ccd8502acff13946ab6bb3600260d9d79ff5635287944cd83fca322b986f2c02dcce3d73f150afe69fb5bb7b1d273db

      Download Submit

    • C:\Windows\SoftwareDistribution\ScanFile\audiodg.exe
      Filesize

      920KB

      MD5

      0d39a7ade0eaa19a185fc11508caeba9

      SHA1

      5083d9622465c43bc02a1edd71acd1d9ae75270c

      SHA256

      51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

      SHA512

      480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

      Download Submit

    • memory/2312-243-0x00000000011D0000-0x00000000012BC000-memory.dmp

      Filesize

      944KB

      Download

    • memory/2640-6-0x0000000000480000-0x0000000000492000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2640-8-0x00000000005B0000-0x00000000005BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2640-3-0x0000000000440000-0x000000000045C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2640-0-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2640-7-0x0000000000490000-0x000000000049C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2640-5-0x0000000000470000-0x0000000000480000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2640-4-0x0000000000460000-0x0000000000470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2640-209-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2640-2-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2640-233-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2640-240-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2640-1-0x00000000009E0000-0x0000000000ACC000-memory.dmp

      Filesize

      944KB

      Download

    • memory/2640-9-0x0000000000580000-0x0000000000588000-memory.dmp

      Filesize

      32KB

      Download