Overview

overview

10

Static

static

10

0ce8e2125c...fa.exe

windows7-x64

10

0ce8e2125c...fa.exe

windows10-2004-x64

10

0d08fd5994...a1.exe

windows7-x64

10

0d08fd5994...a1.exe

windows10-2004-x64

10

0d39a7ade0...a9.exe

windows7-x64

10

0d39a7ade0...a9.exe

windows10-2004-x64

10

0d7cbc8822...d3.exe

windows7-x64

10

0d7cbc8822...d3.exe

windows10-2004-x64

10

0da351d641...30.exe

windows7-x64

10

0da351d641...30.exe

windows10-2004-x64

10

0dcb9d68dd...81.exe

windows7-x64

10

0dcb9d68dd...81.exe

windows10-2004-x64

10

0de35a9720...08.exe

windows7-x64

3

0de35a9720...08.exe

windows10-2004-x64

3

0df2367bf9...81.exe

windows7-x64

10

0df2367bf9...81.exe

windows10-2004-x64

7

0df7144ed5...52.exe

windows7-x64

10

0df7144ed5...52.exe

windows10-2004-x64

10

0df97b99ca...e3.exe

windows7-x64

1

0df97b99ca...e3.exe

windows10-2004-x64

4

0e48a47f40...30.exe

windows7-x64

10

0e48a47f40...30.exe

windows10-2004-x64

10

0e820aad5e...54.exe

windows7-x64

10

0e820aad5e...54.exe

windows10-2004-x64

10

0ea0e36c70...d3.exe

windows7-x64

10

0ea0e36c70...d3.exe

windows10-2004-x64

10

0eb27c6385...3a.exe

windows7-x64

10

0eb27c6385...3a.exe

windows10-2004-x64

10

0ee8580c3e...ef.exe

windows7-x64

10

0ee8580c3e...ef.exe

windows10-2004-x64

10

0eed307263...f5.exe

windows7-x64

10

0eed307263...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e48a47f400685a0d5ded8ad220d8f30.exe

  • Size

    5.9MB

  • MD5

    0e48a47f400685a0d5ded8ad220d8f30

  • SHA1

    9e2de24fe28723727750f9e911fff325d74399bb

  • SHA256

    8ef226d36414c628f71bebb9a7724dbbe58ed58d280a35a32f4550593baf8c2a

  • SHA512

    66a3f552ae9cc6e4fc78ec683105a52b6f2ff4e7d8436438320a3e2332bb2ee0fc7ef61c909f8692137e7eccdcdcf3f898b810e18b64bc254dd08cb69ba77481

  • SSDEEP

    98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4G:RyeU11Rvqmu8TWKnF6N/1w3

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e48a47f400685a0d5ded8ad220d8f30.exe
    "C:\Users\Admin\AppData\Local\Temp\0e48a47f400685a0d5ded8ad220d8f30.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:5248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:5284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4408
    • C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
      "C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5948
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e68a6ed2-57e9-42e2-a478-d4cba265f182.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
          "C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5240
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41617584-d279-4667-96ac-98fae4fbfb14.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
              "C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5032
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ff8a519-84c3-4fbf-9a7f-be5a70ae3cde.vbs"
                7⤵
                  PID:2028
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf1d8fce-b90c-4a5b-bc59-e114fe48828d.vbs"
                  7⤵
                    PID:6016
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91bc334e-c550-4130-b3a7-295e522ef30d.vbs"
                5⤵
                  PID:4980
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e91ed1d-6f88-4e8f-84cd-f9c794b26ba5.vbs"
              3⤵
                PID:5708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\upfc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\7e20f84d5244aba7145631d4073af8\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4504
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4872
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4880
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OneDrive\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OneDrive\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2260
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2428
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3152
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5168
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\addins\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2400
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5892
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\AvailableNetwork\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\AvailableNetwork\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2032
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4188
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2840
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3692
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1396

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\7e20f84d5244aba7145631d4073af8\dwm.exe
            Filesize

            5.9MB

            MD5

            2c48d0af8fbf271f2a8f684014e7e4e2

            SHA1

            50ab175542e88d9bd282e61ab9616b3853420d62

            SHA256

            c02707f9109a845dbd287da48ab5df38b9a56f3b22f7640f280e19d048cc84a9

            SHA512

            296c5a61e55b29565b5d944c80d8c54dab8b5b879bded5c55ae13cbfdcd0ec8a0d83613429c88d9f11aaa82527272b7565b26465aad8b2cb8f3b059b0931340e

            Download Submit

          • C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
            Filesize

            5.9MB

            MD5

            5df43d5beb0e0186826da4b0d7edf375

            SHA1

            d94ecef81785aa5649ed040820ab4a3d8e562c3e

            SHA256

            af7583dff515bc02fd51a492bffab568384446317dd5f4c8fadf133139af432d

            SHA512

            391e1886f9c4ea71ed2f6e59b73583715122a5f7321286ecaa84a52acea8a0e1b2bdf259640ed35e44cba078a2f8723264e76a1399b1f26fa4266791874f18ea

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log
            Filesize

            1KB

            MD5

            229da4b4256a6a948830de7ee5f9b298

            SHA1

            8118b8ddc115689ca9dc2fe8c244350333c5ba8b

            SHA256

            3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

            SHA512

            3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            ef538d38d3fffe3041acc5076c2ab10f

            SHA1

            50e8ec7b55d7e47f68d12491f9b6b68a55042024

            SHA256

            0b5fc94f8342f5b502631514a4ff04af3c16a237bd72ad280f5b01c548d75294

            SHA512

            61097c11d998d1e5cdd9e8f494e51c5c4a6ca2f292a96e603dd912e11ade25bdc430ef46e2f2b7d41262eaf50cb1fa07b9f7a0c267af3120c7028559b12e6cc7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            b0bd0ba1b6d523383ae26f8138bac15f

            SHA1

            8d2828b9380b09fe6b0a78703a821b9fb8a491e5

            SHA256

            a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

            SHA512

            614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            aa06cb40f97ab488651f3aebd1e07736

            SHA1

            5094da2f768387c80a0e879ef43ffbdc677ddc97

            SHA256

            d792dfc55ca10a274ff6ace7d3f5bf6d4cfc9dcefd7c0e9b8aa714fff8988b82

            SHA512

            e3d49f6cb6b50acd6e93c9bc2b46cffa238d1d28b26f1c549267f32abdfd239c75a261b7bab9edcce606f35b8ca632676efaca3f2b1bbdb9bb739115f6003af6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            524dc4216ee09facc7e63e372240789e

            SHA1

            60287bcf81563ab138f4a9d8a33b16653608d4d8

            SHA256

            33fc078810df83c5cb05c92f92df887ef30bcd553805d8fc58ed9badf8353a16

            SHA512

            5834f8c1ba0148b99d6b59303405c6713fd933b31429ba0030752f8003901c50eafde985473928cca8d4bf4b22ac196e52f376db823b0ddda49b0d45272e2c9b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\41617584-d279-4667-96ac-98fae4fbfb14.vbs
            Filesize

            739B

            MD5

            8fb9ecc3f251cc8ea876ff127318d489

            SHA1

            4c610c0720c8d4bec006fadc5e6f07f973b19e48

            SHA256

            84ac76c632436cff9fdbb4b02f45b2a8fed81701b77d81c8dfece7b7de966272

            SHA512

            d5419365837c9a8aef3c049540ca663874bdb670ccb954e96b80c82b58725c141d2dd478228f429cafe6ad1507046311fc5d0eb0c0cc286f3424d10a29013e34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6ff8a519-84c3-4fbf-9a7f-be5a70ae3cde.vbs
            Filesize

            739B

            MD5

            e6658341237655417449bc7b4d693fb1

            SHA1

            32ae46163e92267b12bef9ae9d69b8a5e0a0d483

            SHA256

            0b645db486670cedeededf5e1def5157c35894bbbea755406ead300397878dc8

            SHA512

            f6a76d25751615dda4fd0404c386ac8b146f429b34aad071680334ba6b8d517acb9573d0e79b41910b300cdb626ef1b31e560d576c3bdcff08ffd383f4897ced

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8e91ed1d-6f88-4e8f-84cd-f9c794b26ba5.vbs
            Filesize

            515B

            MD5

            5f27368114c1e6bf1907eae1e7b293f6

            SHA1

            10527c9d6b001a51e99a648c298c012fcdf05b04

            SHA256

            28e8eda8785f7a216ddaa36c955a70157b456024b26631a0c71638672940b47c

            SHA512

            9dba2186f32e834349bcdfc7915e3eb563ce4dbff7aaa80a7d2bd4ebb1b235fee90bb40e9ebf9f229025b247df47f0ffe9d97d3e330926a0089313961971bec5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2qivg1t.u0u.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e68a6ed2-57e9-42e2-a478-d4cba265f182.vbs
            Filesize

            739B

            MD5

            ce89dbbe911e3a26429a2b9d36231c22

            SHA1

            87ca4ff6210afea52bdc196c3b86ba1e3a4cb2fc

            SHA256

            7302e03da18dc3852a2ea44215c113e9fee5ae1c66db44a18e8d75b54c7c281a

            SHA512

            58217ecbc7aa09ba2c2692ae7a26a8d05b04830267579d8a9db546fd10e9ecbd863b958f3cc5d4ce02e12f1c33344989eeace9d376d330b63848e4958cf26531

            Download Submit

          • C:\Users\Admin\OneDrive\lsass.exe
            Filesize

            5.9MB

            MD5

            0e48a47f400685a0d5ded8ad220d8f30

            SHA1

            9e2de24fe28723727750f9e911fff325d74399bb

            SHA256

            8ef226d36414c628f71bebb9a7724dbbe58ed58d280a35a32f4550593baf8c2a

            SHA512

            66a3f552ae9cc6e4fc78ec683105a52b6f2ff4e7d8436438320a3e2332bb2ee0fc7ef61c909f8692137e7eccdcdcf3f898b810e18b64bc254dd08cb69ba77481

            Download Submit

          • C:\Windows\debug\RuntimeBroker.exe
            Filesize

            5.9MB

            MD5

            171eb702e04590f1514218d53ca0415a

            SHA1

            de35d691886a610a761d230f472e83ccf611c6af

            SHA256

            3a3fa675181533d057751c62eec37c3433fe2b6eb9b77f33fed13d9b22332ba0

            SHA512

            07ab5766548844691fedc7ea0bc6855b6676d84abbec940aa4b3b97ed6dc042a557c87d81828a55ed8adbcd11029b23a0db1968a105357e8d0c38ff3bb18fa67

            Download Submit

          • C:\d25f591a00514bc9ba8441\System.exe
            Filesize

            5.9MB

            MD5

            799cefdc05925ecd28bb3d70fb2292a8

            SHA1

            0f6d074f5f2c56e54f096bc169c3cb4aad39e0c8

            SHA256

            a877e0a9bfe8ee6fe32864d3509a4c2adcda3072059c94161d6b62e8b40ade56

            SHA512

            02a6b36673e4badccaf8a02c7fe22c5f5c26f4677ee8efc267ba028eea7396df74e8a6ed1aca2105bca78daed5a02cac30215191f81c605f78e0c085fd13dcab

            Download Submit

          • memory/1992-36-0x000000001D450000-0x000000001D45E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1992-28-0x000000001D3D0000-0x000000001D3D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-18-0x000000001D300000-0x000000001D356000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1992-19-0x000000001D350000-0x000000001D35C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-24-0x000000001D380000-0x000000001D392000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1992-22-0x000000001D370000-0x000000001D378000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-21-0x000000001D470000-0x000000001D47C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-20-0x000000001D360000-0x000000001D368000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-26-0x000000001D3B0000-0x000000001D3BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-25-0x000000001D9B0000-0x000000001DED8000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1992-29-0x000000001D3E0000-0x000000001D3EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-30-0x000000001D3F0000-0x000000001D3FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-32-0x000000001D410000-0x000000001D41C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-31-0x000000001D400000-0x000000001D408000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-0-0x00007FF99BA73000-0x00007FF99BA75000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1992-40-0x000000001D7A0000-0x000000001D7AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1992-41-0x000000001D6A0000-0x000000001D6AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-39-0x000000001D690000-0x000000001D698000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-38-0x000000001D680000-0x000000001D68C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-37-0x000000001D460000-0x000000001D468000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-35-0x000000001D440000-0x000000001D448000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-34-0x000000001D430000-0x000000001D43E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1992-33-0x000000001D420000-0x000000001D42A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1992-17-0x000000001D2F0000-0x000000001D2FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1992-27-0x000000001D3C0000-0x000000001D3CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-15-0x000000001D2D0000-0x000000001D2D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-16-0x000000001D2E0000-0x000000001D2F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1992-14-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1992-183-0x00007FF99BA73000-0x00007FF99BA75000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1992-8-0x000000001D180000-0x000000001D1D0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1992-231-0x00007FF99BA70000-0x00007FF99C531000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-13-0x0000000002FD0000-0x0000000002FE2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1992-1-0x0000000000400000-0x0000000000CF8000-memory.dmp

            Filesize

            9.0MB

            Download

          • memory/1992-9-0x0000000002F70000-0x0000000002F78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-436-0x00007FF99BA70000-0x00007FF99C531000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-2-0x0000000001580000-0x0000000001581000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1992-11-0x0000000002F90000-0x0000000002FA6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1992-12-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-10-0x0000000002F80000-0x0000000002F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1992-7-0x0000000002F50000-0x0000000002F6C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1992-6-0x0000000002F40000-0x0000000002F48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1992-3-0x00007FF99BA70000-0x00007FF99C531000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-5-0x0000000002F30000-0x0000000002F3E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1992-4-0x0000000002F20000-0x0000000002F2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4360-315-0x0000025ED9D60000-0x0000025ED9D82000-memory.dmp

            Filesize

            136KB

            Download

          • memory/5948-463-0x000000001D6A0000-0x000000001D6B2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/5948-435-0x0000000000940000-0x0000000001238000-memory.dmp

            Filesize

            9.0MB

            Download