Overview

overview

10

Static

static

10

84b12442aa...e4.exe

windows7-x64

10

84b12442aa...e4.exe

windows10-2004-x64

10

84c3944913...92.exe

windows7-x64

1

84c3944913...92.exe

windows10-2004-x64

1

84debf79f2...ff.exe

windows7-x64

1

84debf79f2...ff.exe

windows10-2004-x64

1

84f75ab85b...fd.exe

windows7-x64

10

84f75ab85b...fd.exe

windows10-2004-x64

10

855deb7775...d7.exe

windows7-x64

10

855deb7775...d7.exe

windows10-2004-x64

10

85744dd3f6...0b.exe

windows7-x64

7

85744dd3f6...0b.exe

windows10-2004-x64

7

85c94c7c76...5f.exe

windows7-x64

10

85c94c7c76...5f.exe

windows10-2004-x64

10

85d0793219...96.exe

windows7-x64

10

85d0793219...96.exe

windows10-2004-x64

10

85da941cd1...86.exe

windows7-x64

3

85da941cd1...86.exe

windows10-2004-x64

3

85edcd8fbc...42.exe

windows7-x64

10

85edcd8fbc...42.exe

windows10-2004-x64

10

8601303574...8e.exe

windows7-x64

10

8601303574...8e.exe

windows10-2004-x64

10

86513494c7...6d.exe

windows7-x64

10

86513494c7...6d.exe

windows10-2004-x64

10

86700eca73...12.exe

windows7-x64

10

86700eca73...12.exe

windows10-2004-x64

10

867e002192...1f.exe

windows7-x64

10

867e002192...1f.exe

windows10-2004-x64

10

86c8fa2e13...a0.exe

windows7-x64

10

86c8fa2e13...a0.exe

windows10-2004-x64

10

86ca2f06f1...26.exe

windows7-x64

10

86ca2f06f1...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

  • Size

    1.6MB

  • MD5

    c87ae2c7c0c0a77294bdf61219b952f5

  • SHA1

    009d29952e3cec0966402de8b8ffeb264c78a956

  • SHA256

    85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

  • SHA512

    b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

  • SSDEEP

    24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
    "C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:932
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VEid32eq5K.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1796
        • C:\Windows\Migration\WTR\services.exe
          "C:\Windows\Migration\WTR\services.exe"
          3⤵
            PID:2692
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13c13d20-70d8-40c4-9f28-b766b09819ab.vbs"
              4⤵
                PID:2332
                • C:\Windows\Migration\WTR\services.exe
                  C:\Windows\Migration\WTR\services.exe
                  5⤵
                    PID:1808
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72ff2fe-a937-40ff-97ab-472edf02fcc6.vbs"
                      6⤵
                        PID:2136
                        • C:\Windows\Migration\WTR\services.exe
                          C:\Windows\Migration\WTR\services.exe
                          7⤵
                            PID:2416
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a702c9bb-6063-4126-af9b-4e41d6cc04f0.vbs"
                              8⤵
                                PID:840
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b884755-b701-43c9-b03b-f6ce3116a232.vbs"
                                8⤵
                                  PID:960
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37eef783-0e8a-4461-9cda-cd8fa1383c76.vbs"
                              6⤵
                                PID:2964
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b2bedf-3722-4a8f-8056-9270e3f0769d.vbs"
                            4⤵
                              PID:784
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2144
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2924
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2936
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2856
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2688
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:896
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\services.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:568
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2236
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1116
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:908
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3016
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1520
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2588
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1928
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:852
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2740
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2996
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3036
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1020
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1072
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1976
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1832
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1908
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:584
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2584
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2164
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1996
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\sppsvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2132
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1808
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:808
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\dwm.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2124
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:676
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\dwm.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2240
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1100
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2364
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1548
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:772
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1768
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1784
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2044
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:828
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2220
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Idle.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2484
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1420
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2480
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sppsvc.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1616
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2340
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1672
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2344
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1568
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2332

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe
                        Filesize

                        1.6MB

                        MD5

                        c87ae2c7c0c0a77294bdf61219b952f5

                        SHA1

                        009d29952e3cec0966402de8b8ffeb264c78a956

                        SHA256

                        85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

                        SHA512

                        b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

                        Download Submit

                      • C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe
                        Filesize

                        1.6MB

                        MD5

                        db5750b1c66a04443936baf6694cc4ee

                        SHA1

                        a7fcd2d5386816c965192c6bd1c58b856042b461

                        SHA256

                        3e017c5ac3c5961efa767a8c8a08b090d145feb7644c707581c162f6eb1a758f

                        SHA512

                        eaafa22c5ee18cb57b55400fb4dbef377c3ac879b7e8ed2a01361e226eeb2337292baa71760db4ad250748f53034314a81d6260d2589e1b434575d03c4b0a673

                        Download Submit

                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                        Filesize

                        1.6MB

                        MD5

                        2de5fc0c851c2eebb44a8b40ff22116a

                        SHA1

                        a775be803115ea52d95f90ae94f540cf16117fa1

                        SHA256

                        8a7a3b2810f634415c1214c0cfd97aa7cc33331e99f1dd082a0023af71dfd55b

                        SHA512

                        c99ad00d925b30eb02c82bb2fdeb7ef492287e184896f3a21b4f3741a374aff63941b1bfb6c3fc9b3e4cdc7a85b546dfb329f2bc837241b366b07ff1609526b4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\13c13d20-70d8-40c4-9f28-b766b09819ab.vbs
                        Filesize

                        713B

                        MD5

                        0c43ff92be62634a6039d725a69fd018

                        SHA1

                        49ebc77c5548b6c63f79895ac58c9191b31a2eb4

                        SHA256

                        69e71b6e78e633b6cc425a310aa7303fc512b1d3662021c4c9fc18ba46d650ba

                        SHA512

                        c92964ea47323610c0d483117ac8647fc2850c2b865b304da43b60c6cca4990f33d02ab2451609ae716c8c3f290b63c568306d64d3560f9a158e605480bec954

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\VEid32eq5K.bat
                        Filesize

                        202B

                        MD5

                        4768f7849ed861e0bf9634022e8d778b

                        SHA1

                        6df0cdf694cd5fa781e2b006bffa90e559862028

                        SHA256

                        9a0e760ed89445bebdbfa9fe2564cff161907dd7316a0c977c2724cf3bbf7398

                        SHA512

                        185481f4f75c454c85a8b3501618f855d5c6c850a3053ce408d404a8d9b8ce68f7f7dd46cf21a1bf9fe3852a2d4b7d1d9bd56b0f6d0d222b2f84da99e279057b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\a702c9bb-6063-4126-af9b-4e41d6cc04f0.vbs
                        Filesize

                        713B

                        MD5

                        288a00f5deecdaceb8438981165478a2

                        SHA1

                        1dbc05a472fd1bd62e90f6cfe452339e6f7fb5b3

                        SHA256

                        058ac256874cbc588d7dbbb3a656262b1e15d9b23243b18d8df1cecd5b257d8c

                        SHA512

                        bb157ff2fdbd3a16e1ec8931e882b62185c368a7693965a0c2f97317b62569641dab4f668640944c34730a8f78fa327b03c6ca2605d1d405fde124d19f05fb77

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\a72ff2fe-a937-40ff-97ab-472edf02fcc6.vbs
                        Filesize

                        713B

                        MD5

                        6a6f1d58b94ffd0969f37a4c8e7e694c

                        SHA1

                        cfa2964d0b2f6c2879b628eaf22ede08ea6d061d

                        SHA256

                        d30d3a4a98f02bc4a64b10bd4c98dc5fbac729488cafcc813a99399874def22d

                        SHA512

                        3f7ac3847a66765e9c427a95bcd0c11ffe5c2aa2b88c983d414fa9f895ed2208ee973313cbb838e77f981242fec935a0c20c4855b8a2423d8eb236d1dd4ea2fb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\d6b2bedf-3722-4a8f-8056-9270e3f0769d.vbs
                        Filesize

                        489B

                        MD5

                        fd33b78634cb732294058c17cdc45666

                        SHA1

                        1704c9f893432dea78009c727427e34c671df4e2

                        SHA256

                        40bf7f5bec07763d2bdc0d4b70903d47df93b74c43040abaf448ffe75a683904

                        SHA512

                        5e2eb1c3dd231075ac7b2cc32f7ad0b27ad54e2a7609314075fe864b1cc59882e58d07d5c32929a6da1341a95365c9df49000414ac4e2d9362f844109f9d154f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        592ec8050bc06cffbf0728344c628d46

                        SHA1

                        56e41e0e0832d1518b0d2db584c7a5effe08b45b

                        SHA256

                        1095fafa6dccac2fe2c6d7f162c0dd105e40ccd708b2297af1ada468e97854da

                        SHA512

                        67d90052d76e0a697d80c125371a1d1589e3f0055dbbbc5cb4a09f3066e88dad4994f697e6d2c478591749d4e683fdcb085e10191bf3326fd321e35cf0f32f84

                        Download Submit

                      • C:\Users\Admin\Documents\spoolsv.exe
                        Filesize

                        1.6MB

                        MD5

                        4145a64c3eed4bbc802729f834b0296d

                        SHA1

                        470515c205a9b8c591c02af6b22374a5bc25cd4a

                        SHA256

                        aaa0ef72d03e79e5402d225a6ce7e3cb16ce943158a98fd8f2b3eb6782f7a364

                        SHA512

                        950ec480ff621c43f69d157783f85226460db1649cd7cf1ae9e4f36b2461d53f50dda9713db98cda85fa08fb290c61a77f5fcbdfc155ed53318d226e927208fd

                        Download Submit

                      • memory/1056-299-0x0000000001F90000-0x0000000001F98000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1176-16-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1176-8-0x0000000000320000-0x0000000000328000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1176-13-0x0000000000610000-0x0000000000618000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1176-14-0x0000000000620000-0x0000000000628000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1176-15-0x0000000000630000-0x000000000063A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/1176-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1176-11-0x00000000005F0000-0x00000000005FA000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/1176-33-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1176-58-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1176-10-0x0000000000350000-0x000000000035C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1176-9-0x0000000000330000-0x000000000033C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/1176-12-0x0000000000600000-0x000000000060E000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/1176-7-0x0000000000340000-0x0000000000350000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1176-1-0x0000000000C70000-0x0000000000E12000-memory.dmp

                        Filesize

                        1.6MB

                        Download

                      • memory/1176-325-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1176-5-0x00000000002F0000-0x0000000000306000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/1176-6-0x0000000000310000-0x0000000000318000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1176-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1176-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1176-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/1808-355-0x0000000000BF0000-0x0000000000D92000-memory.dmp

                        Filesize

                        1.6MB

                        Download

                      • memory/2416-367-0x0000000000D50000-0x0000000000EF2000-memory.dmp

                        Filesize

                        1.6MB

                        Download

                      • memory/2692-344-0x0000000000110000-0x00000000002B2000-memory.dmp

                        Filesize

                        1.6MB

                        Download

                      • memory/2788-323-0x000000001B3B0000-0x000000001B692000-memory.dmp

                        Filesize

                        2.9MB

                        Download