Overview

overview

10

Static

static

10

0ce8e2125c...fa.exe

windows7-x64

10

0ce8e2125c...fa.exe

windows10-2004-x64

10

0d08fd5994...a1.exe

windows7-x64

10

0d08fd5994...a1.exe

windows10-2004-x64

10

0d39a7ade0...a9.exe

windows7-x64

10

0d39a7ade0...a9.exe

windows10-2004-x64

10

0d7cbc8822...d3.exe

windows7-x64

10

0d7cbc8822...d3.exe

windows10-2004-x64

10

0da351d641...30.exe

windows7-x64

10

0da351d641...30.exe

windows10-2004-x64

10

0dcb9d68dd...81.exe

windows7-x64

10

0dcb9d68dd...81.exe

windows10-2004-x64

10

0de35a9720...08.exe

windows7-x64

3

0de35a9720...08.exe

windows10-2004-x64

3

0df2367bf9...81.exe

windows7-x64

10

0df2367bf9...81.exe

windows10-2004-x64

7

0df7144ed5...52.exe

windows7-x64

10

0df7144ed5...52.exe

windows10-2004-x64

10

0df97b99ca...e3.exe

windows7-x64

1

0df97b99ca...e3.exe

windows10-2004-x64

4

0e48a47f40...30.exe

windows7-x64

10

0e48a47f40...30.exe

windows10-2004-x64

10

0e820aad5e...54.exe

windows7-x64

10

0e820aad5e...54.exe

windows10-2004-x64

10

0ea0e36c70...d3.exe

windows7-x64

10

0ea0e36c70...d3.exe

windows10-2004-x64

10

0eb27c6385...3a.exe

windows7-x64

10

0eb27c6385...3a.exe

windows10-2004-x64

10

0ee8580c3e...ef.exe

windows7-x64

10

0ee8580c3e...ef.exe

windows10-2004-x64

10

0eed307263...f5.exe

windows7-x64

10

0eed307263...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e48a47f400685a0d5ded8ad220d8f30.exe

  • Size

    5.9MB

  • MD5

    0e48a47f400685a0d5ded8ad220d8f30

  • SHA1

    9e2de24fe28723727750f9e911fff325d74399bb

  • SHA256

    8ef226d36414c628f71bebb9a7724dbbe58ed58d280a35a32f4550593baf8c2a

  • SHA512

    66a3f552ae9cc6e4fc78ec683105a52b6f2ff4e7d8436438320a3e2332bb2ee0fc7ef61c909f8692137e7eccdcdcf3f898b810e18b64bc254dd08cb69ba77481

  • SSDEEP

    98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4G:RyeU11Rvqmu8TWKnF6N/1w3

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e48a47f400685a0d5ded8ad220d8f30.exe
    "C:\Users\Admin\AppData\Local\Temp\0e48a47f400685a0d5ded8ad220d8f30.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PKZ08zKlyu.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1472
        • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
          "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2208
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a07e1d2-256b-491a-af7c-61dc8041e988.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
              C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2444
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98a65f68-6802-443e-8c34-f34a9abbb5db.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2632
                • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
                  C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2916
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e40cc5d-0c4c-4bb8-9368-3b7fc8d10ae9.vbs"
                    8⤵
                      PID:2188
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f10e9b51-76cf-42a3-9d74-bffb0b7c8ec7.vbs"
                      8⤵
                        PID:2940
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d834a89-1731-46f2-a141-ec3f7cf184b3.vbs"
                    6⤵
                      PID:1700
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f6f06d-947f-4db0-8811-bd37d465a28b.vbs"
                  4⤵
                    PID:548
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\OSPPSVC.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2192
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\OSPPSVC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2640
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\OSPPSVC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2756
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "0e48a47f400685a0d5ded8ad220d8f300" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\0e48a47f400685a0d5ded8ad220d8f30.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "0e48a47f400685a0d5ded8ad220d8f30" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\0e48a47f400685a0d5ded8ad220d8f30.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "0e48a47f400685a0d5ded8ad220d8f300" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\0e48a47f400685a0d5ded8ad220d8f30.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2292
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:992
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3008
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2852
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1728
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1656
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1404
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1968
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2444
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1628
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2320
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2124
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Libraries\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2064
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2268
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1112
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1280
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1716
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1872
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1544
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2184
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:620
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1744
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2588
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1040
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\OSPPSVC.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1912
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1760
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1972
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1640
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1588
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2304
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2460
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:568
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2516

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
              Filesize

              5.9MB

              MD5

              0e48a47f400685a0d5ded8ad220d8f30

              SHA1

              9e2de24fe28723727750f9e911fff325d74399bb

              SHA256

              8ef226d36414c628f71bebb9a7724dbbe58ed58d280a35a32f4550593baf8c2a

              SHA512

              66a3f552ae9cc6e4fc78ec683105a52b6f2ff4e7d8436438320a3e2332bb2ee0fc7ef61c909f8692137e7eccdcdcf3f898b810e18b64bc254dd08cb69ba77481

              Download Submit

            • C:\Program Files\Internet Explorer\taskhost.exe
              Filesize

              5.9MB

              MD5

              372e9d1af6bbb20595a524618a07a486

              SHA1

              25ba56c7d8ba2ec2a7e5119246a5cfdc9b7cd27d

              SHA256

              8d06cfeaa17ed30a2a29988b1f6bd93bc75ef5032f7c186e50b7ef8bab4e3942

              SHA512

              1ff20f4976501f29f643be08ea13593c32ed521193f0b6c4cd146b59522d6f72479baa89c5ca52b13a7e3b8856f1205d59cf8a312307b2a0d9914e78a4276912

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\6a07e1d2-256b-491a-af7c-61dc8041e988.vbs
              Filesize

              734B

              MD5

              c0c61d421bb747c6fc2b5b788d810e4b

              SHA1

              39f37d13a8c76635d2bf29630c44c2cde82492a5

              SHA256

              3bfc68bd57d48f9dd75f224e542459968b1d919b24f2de5d1804cfb41c342fb7

              SHA512

              713bb5ab67d8f9a87fc6e2e17f968445a94f35dfe776e616ebca8d411a3f1c5c868126cd0c4fe17f86234beb43d885c12c7d22a3b94874f12d2b8d1656a3b38a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\6e40cc5d-0c4c-4bb8-9368-3b7fc8d10ae9.vbs
              Filesize

              734B

              MD5

              183778a11a6db131088508808e1d43a4

              SHA1

              bed4d4bbfb8e8073fa3c19cdefe7da92ef3989d0

              SHA256

              46eb3e6eb17968375bb9dce823e7d6e5cbddb674ec325cb36f8553d6996e7b62

              SHA512

              e87e79485d137411a8248254de4cdf845c8f1f8db5f3c19cd2a828ba70d78515cd4e9e227523b50659df151893b9fb5d3e7164a16e7cd52620642ea7388f9be0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\98a65f68-6802-443e-8c34-f34a9abbb5db.vbs
              Filesize

              734B

              MD5

              d7f12123cb90029c41e81c977bdda0fb

              SHA1

              770cb9f723525506b8cf39f00f003c2ea9cb31f4

              SHA256

              f4f8cc2ff37bac9296599016254eb7c71ad86a67cd7b8084ae4dc82ff23796d4

              SHA512

              46e5993618505e80a7aeb94aaa69f97d51c2de2b7ca5e57e79f3fbea008c7984af4da850be27e368059a7c430bdd6bf3ff6ce819ea13dda14adf06aa99d64a1c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\PKZ08zKlyu.bat
              Filesize

              223B

              MD5

              5b4790870a3853574534443ea2f15b47

              SHA1

              eec489d716ec780f49e201178dec308e67db1f3a

              SHA256

              367605140f203508ed3bec135ead2d449c35f9d3610e9d75d41bbebd3b455ba0

              SHA512

              a5c639c7843ea47a2a94a2013cfe30086e8d28ca86d076116025bb5264ad7ef21612314d2caf53621cfde4244ce27d3335713d4977167e1ede0b92c171bcc05e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\b3f6f06d-947f-4db0-8811-bd37d465a28b.vbs
              Filesize

              510B

              MD5

              8919dd07ce893b1f4d1376b5f5296576

              SHA1

              79ec9610b6dd3f8d1c44b1316573cf1d39efb521

              SHA256

              0c2b753bcfe302b90fcdabed7b5711100c50f1aa98ee9498ceb16019ec560f0f

              SHA512

              d69cd653b5856210c757a9b8bc7b3c8e5b1d23ad50a94668cc00eec3ff3c54fd94933424fee1a261f73549a7b901dabd489c28783e5114810a51a172c242766c

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              7d544b0e756b7d9660e1d55c06fe7900

              SHA1

              76616412dfbc9ac26f8e1604c74c666b9bb7ce9f

              SHA256

              033580156bd4ade3167fd9bb1071991307ff1a5fb0b5b03e80dccd12d9d85cb1

              SHA512

              f75f5cc780b35a3a89bae62491cb018a2c2caf4ddbb8db2ccdcf721d1715d1ce69003202acf0b9fb646db822df69b9f793dbb88dad2cbce26a40e4e5b7dc848e

              Download Submit

            • C:\Users\Default\System.exe
              Filesize

              5.9MB

              MD5

              9bad748313cbe2aabaf4c4a1202a1d5c

              SHA1

              5ab6d960c07f4a8c8b997767add5f902b943ed0b

              SHA256

              afa7a91ecec09519d6c9cf0970e7fbcf6b26c2ec071472cdbda231d0e25fb411

              SHA512

              d20af0618e0f4bc520f5e1986284ab371183a69c81aa68717cbac603f5d95011eb9df00a21840f8ec7bc30ed0be5d6f791d3c104778ca48c4653e73802af6ed1

              Download Submit

            • C:\Users\Public\Favorites\csrss.exe
              Filesize

              5.9MB

              MD5

              3712ee9e509ec2298bc74fccf329a58f

              SHA1

              c11872d2e9b00b0197a08db9d7a974cd7dae05e0

              SHA256

              e5faf136edcca46a88844213df15fc683d80f9ec70618886df8ccd7022a301fb

              SHA512

              fac4b90b92d5017bc022e76a5e7b26f3adb6e9fa5f8e7821ca4e7d5994e4f427c8ef40f285d2d720bfcab79d2c8a3a740ddc582c423d038dc57a858d61d87be7

              Download Submit

            • C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\lsass.exe
              Filesize

              5.9MB

              MD5

              4d41c7e5b7d8aeaac5c8e6609f85ca4c

              SHA1

              ac8ffce1299c636cb2a115c9c0468e68597e1452

              SHA256

              139154d3787d02da45ca844dc6b5f163693f3d7f7e7f57b349a490e84223f480

              SHA512

              9f446d0ddaad4a8f6192ae2ee7e4405491556b7cfa85e95f5817d9fccec2d87350804856b974e223fae9c6cafd8b72be43ac79781ad1d44a7e015cbb5babe616

              Download Submit

            • memory/1292-27-0x000000001B160000-0x000000001B16C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-32-0x000000001B1B0000-0x000000001B1BE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1292-12-0x0000000002B20000-0x0000000002B32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1292-11-0x0000000000C30000-0x0000000000C38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-10-0x0000000000C10000-0x0000000000C26000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1292-7-0x0000000000BE0000-0x0000000000BFC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1292-6-0x0000000000790000-0x0000000000798000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-13-0x0000000002B30000-0x0000000002B3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-14-0x0000000002A20000-0x0000000002A28000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-15-0x0000000002B40000-0x0000000002B50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1292-16-0x0000000002B50000-0x0000000002B5A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1292-17-0x0000000002C10000-0x0000000002C66000-memory.dmp

              Filesize

              344KB

              Download

            • memory/1292-18-0x0000000002B60000-0x0000000002B6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-19-0x0000000002B70000-0x0000000002B78000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-21-0x000000001B0F0000-0x000000001B0F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-20-0x0000000002C60000-0x0000000002C6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-23-0x000000001B100000-0x000000001B112000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1292-24-0x000000001B130000-0x000000001B13C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-25-0x000000001B140000-0x000000001B14C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-9-0x0000000000C00000-0x0000000000C10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1292-26-0x000000001B150000-0x000000001B158000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-28-0x000000001B170000-0x000000001B17C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-29-0x000000001B190000-0x000000001B198000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-30-0x000000001B180000-0x000000001B18C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-31-0x000000001B1A0000-0x000000001B1AA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1292-8-0x00000000007A0000-0x00000000007A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-33-0x000000001B590000-0x000000001B598000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-34-0x000000001B5A0000-0x000000001B5AE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1292-35-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-36-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-37-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1292-38-0x000000001B5E0000-0x000000001B5EA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1292-39-0x000000001B5F0000-0x000000001B5FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1292-192-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1292-226-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1292-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1292-5-0x00000000004F0000-0x00000000004FE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1292-1-0x0000000000C40000-0x0000000001538000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/1292-320-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1292-4-0x00000000004E0000-0x00000000004EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1292-2-0x0000000000240000-0x0000000000241000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1292-3-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2004-284-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2208-346-0x0000000000A80000-0x0000000000A92000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2208-344-0x0000000000A90000-0x0000000001388000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/2444-357-0x0000000000310000-0x0000000000C08000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/2476-290-0x0000000002810000-0x0000000002818000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2916-370-0x0000000000E90000-0x0000000001788000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/2916-372-0x0000000000E00000-0x0000000000E12000-memory.dmp

              Filesize

              72KB

              Download