Overview

overview

10

Static

static

10

1d90d6c35e...9c.exe

windows7-x64

10

1d90d6c35e...9c.exe

windows10-2004-x64

10

1dbfa6282e...68.exe

windows7-x64

8

1dbfa6282e...68.exe

windows10-2004-x64

8

1dc47906f1...32.exe

windows7-x64

10

1dc47906f1...32.exe

windows10-2004-x64

3

1df5615c53...d6.exe

windows7-x64

10

1df5615c53...d6.exe

windows10-2004-x64

10

1e02f6a6c6...83.exe

windows7-x64

7

1e02f6a6c6...83.exe

windows10-2004-x64

7

1e055435ef...e4.exe

windows7-x64

10

1e055435ef...e4.exe

windows10-2004-x64

10

1e320ed242...cb.exe

windows7-x64

10

1e320ed242...cb.exe

windows10-2004-x64

10

1ec4b8acdc...65.exe

windows7-x64

1

1ec4b8acdc...65.exe

windows10-2004-x64

1

1ecd5f6fdf...82.exe

windows7-x64

10

1ecd5f6fdf...82.exe

windows10-2004-x64

10

1f0343adab...d3.exe

windows7-x64

10

1f0343adab...d3.exe

windows10-2004-x64

10

1f1f2a5e82...ba.exe

windows7-x64

10

1f1f2a5e82...ba.exe

windows10-2004-x64

10

1f2f396008...f5.exe

windows7-x64

10

1f2f396008...f5.exe

windows10-2004-x64

10

1f824bf7c7...67.exe

windows7-x64

10

1f824bf7c7...67.exe

windows10-2004-x64

10

1fb433aec1...59.exe

windows7-x64

10

1fb433aec1...59.exe

windows10-2004-x64

10

1fe86f0bbb...3e.exe

windows7-x64

10

1fe86f0bbb...3e.exe

windows10-2004-x64

10

201b2bf97d...42.exe

windows7-x64

10

201b2bf97d...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

  • Size

    1.6MB

  • MD5

    517861702fe0a89aa5e3af35d9f96661

  • SHA1

    50101d8bff153320694baf54bc7b68e585720d4d

  • SHA256

    1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

  • SHA512

    da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

  • SSDEEP

    24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
    "C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\TextInputHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\TextInputHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4128
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DgHlPzdV8W.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4748
        • C:\Program Files\Crashpad\attachments\TextInputHost.exe
          "C:\Program Files\Crashpad\attachments\TextInputHost.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5704
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\318b0323-ce3b-4baf-88c5-6052c8b4c485.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Program Files\Crashpad\attachments\TextInputHost.exe
              "C:\Program Files\Crashpad\attachments\TextInputHost.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3248
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45e115ff-c56c-4748-ac83-ff5a9a4a17af.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:608
                • C:\Program Files\Crashpad\attachments\TextInputHost.exe
                  "C:\Program Files\Crashpad\attachments\TextInputHost.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5952
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\625a154e-2df8-4f70-bbf0-b28188669def.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5404
                    • C:\Program Files\Crashpad\attachments\TextInputHost.exe
                      "C:\Program Files\Crashpad\attachments\TextInputHost.exe"
                      9⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1664
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23e29485-28b5-4be0-8b1e-417b9e84b2d4.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:436
                        • C:\Program Files\Crashpad\attachments\TextInputHost.exe
                          "C:\Program Files\Crashpad\attachments\TextInputHost.exe"
                          11⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3116
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ce0279b-32cc-4cc4-83b5-6d9d365b453f.vbs"
                            12⤵
                              PID:5248
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d7b5903-a56f-45a4-8548-0f1902a8f478.vbs"
                              12⤵
                                PID:5520
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39e23bc-cef8-4999-96d7-35c489ee43ea.vbs"
                            10⤵
                              PID:3292
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3cb4d79-ff29-48bc-ac17-a11dea753418.vbs"
                          8⤵
                            PID:5980
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a8d288d-d5ba-4c7b-8a09-d74a1407e281.vbs"
                        6⤵
                          PID:3480
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137b26da-c7f6-4018-bbb5-0bee382c85f9.vbs"
                      4⤵
                        PID:5860
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4704
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2036
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5428
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4180
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2344
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4548
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4536
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4520
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4596
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4720
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4744
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4732
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4840
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4848
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5092
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4480
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5192
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4792
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\TextInputHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4376
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3180
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4924
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5020
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3296
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4872
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4900
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4820
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5060

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe
                  Filesize

                  1.6MB

                  MD5

                  b8db8148308b7e3e1ffb4480429079e8

                  SHA1

                  69efa880835bd5ebe532123ba620cf6acf920ffa

                  SHA256

                  491ce252356a152351e12d7bc9d1bbd0e8b7291a7d220668932a0917b9369d62

                  SHA512

                  7a05ddac45bac389ee747254e66354c808475a42715aff3b1f8c1da8c04b87978cee0c4473144345157fa87d2f79a972b69c235a9a62026057b35a73f6f1c650

                  Download Submit

                • C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe
                  Filesize

                  1.6MB

                  MD5

                  c07ec9e1f27259eb3e6e2ebbb6583311

                  SHA1

                  2eac6564bb33deb799eade538f1a0d14f5c1377c

                  SHA256

                  81e020f984d5260df2a9fac670311f928cb7ea6361d46ae5f1463d4d588bb5a7

                  SHA512

                  1d621361aae9a673fad8eed5ead76ac9d41e1c39b2d2d21e54f2fcb13d015ab05f15debad3fd994691f88f972299ac441bd81fb46a6153e96d8e3d7527fd30c9

                  Download Submit

                • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dwm.exe
                  Filesize

                  1.6MB

                  MD5

                  517861702fe0a89aa5e3af35d9f96661

                  SHA1

                  50101d8bff153320694baf54bc7b68e585720d4d

                  SHA256

                  1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

                  SHA512

                  da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log
                  Filesize

                  1KB

                  MD5

                  3690a1c3b695227a38625dcf27bd6dac

                  SHA1

                  c2ed91e98b120681182904fa2c7cd504e5c4b2f5

                  SHA256

                  2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

                  SHA512

                  15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  8d1deade86a558baa0001eab3f74b16b

                  SHA1

                  3fa436638817cf90a5ddc691d6958b32c6e1f037

                  SHA256

                  a6f2f05965718bc072ca71644afcbed776fdbd3db33e6c460a501177fa5e21e6

                  SHA512

                  1d2eac199777a1fa0f4a39c28df940536883bd60c2d96c5902b9da7a55fe709ed81c6a8d82524ccbf3460feef9bfe1f9b240de11ec994c9f4c5c26a0dbc5e6c9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  e10ceaefa38a8a0c7cf27b2938747eae

                  SHA1

                  18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

                  SHA256

                  d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

                  SHA512

                  84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  19c1c95807d53fcb88e1e2289e645f0b

                  SHA1

                  832c029a7433b229e66296b6f8a4ba56b0246298

                  SHA256

                  73f393ffbdb24758131fa51669790c37ed233802f1ed85f7bdfd058e0b5fb83f

                  SHA512

                  f528e937baf51c0b85aa25277bd8d12a10e5f8a78187b32eaaacd0dfceba6f3bf90cf21945e299f52fe1110e48ebabe1a8df868e94a72d8899e7f4f49848aa71

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  74dd0049bd5d21e75ac1c3b0c10097d0

                  SHA1

                  e794714d21e43a59d8b5e716e16a4e7487175f33

                  SHA256

                  1004fd2c6c615b7ff3142a351e240962e6998014e06e09a1c5e14cf1884b9f7c

                  SHA512

                  a62cb83fe8500bfb1c72651ca7153eb4237b3fb7f17a2e52aec41b85f2dfbd85bd290c36349c1df40dcab8814df8bd751a02181faa4e03fa4e2ccf9271e46f1d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\137b26da-c7f6-4018-bbb5-0bee382c85f9.vbs
                  Filesize

                  507B

                  MD5

                  b2eea89beb8d73bbabcae6d83726ffdd

                  SHA1

                  94cf1d609f57206b12f18e82b7ec53564d266d67

                  SHA256

                  f4c863415d021f234fc0f3043b1f87ef75823206586361d06b40a2ac0a11350b

                  SHA512

                  e034e0e575f2022a3c15bb4140cceaf76a32f9429fd8e17bc4492f9878b01c5dcc65aa4e3193ab1ef6d7b56e2e07e12c62e9b2e1218ebb7e72575060eb44dab6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\23e29485-28b5-4be0-8b1e-417b9e84b2d4.vbs
                  Filesize

                  731B

                  MD5

                  9a90619cec99e8c78871154b6b496885

                  SHA1

                  d901c7dc7a1b3a7c9cc613a667f5b527af2d8954

                  SHA256

                  07fe7cda4f08ca50dead2123a74d5e331a2ad10b2442a805d908313cb6612f24

                  SHA512

                  aed0966b4aa45a88df3628b3cce17aa261491c5145e8bf5c4df8f608a6fb61493bc381a1234ec2f791fdf3f5c0050ed6de605d5c9ac8f5464c58fd6085d4dd8b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\318b0323-ce3b-4baf-88c5-6052c8b4c485.vbs
                  Filesize

                  731B

                  MD5

                  aa408e29a7e6113cd39fe5bf2086bfad

                  SHA1

                  b9dd61d5a4830edb8e0996c4ed27473fe69d00e1

                  SHA256

                  ae4f251a47e72c2bd4da40934183425a20037a3a494d694d7ff3c3d9cbb1474c

                  SHA512

                  605605ada0b88f593d0f427a0c754f27859a5bb71f52c842c621c0070e33fe4c376c4c5f2faaa81161f020f72cc21373b9c77616d69fc0514b69184a7077a295

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\3ce0279b-32cc-4cc4-83b5-6d9d365b453f.vbs
                  Filesize

                  731B

                  MD5

                  0d5a780ddaa9f916874060da57eddce7

                  SHA1

                  f46c098dda56e16bdd6ac49285f4da5791c7cb0e

                  SHA256

                  2f6e156b63e071565e0e3f1a058a0936e0ca20644e4a8ee6d79aa59922d103fb

                  SHA512

                  286e8b7ad0a23c504bce8d1e099122aba36028e8de39e7b5d596f3a15632804f14ff51d0c3c7a03bb0d6e59bdae6fa372fa61cad60aebd9fed52c7481ec593cc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\45e115ff-c56c-4748-ac83-ff5a9a4a17af.vbs
                  Filesize

                  731B

                  MD5

                  164ccd4be79ce615e5eccf28d3970c00

                  SHA1

                  3ab876aa6bf3d4cabc5d23bca3b42c6f2d7a02d3

                  SHA256

                  874d38bc086170e27e7369e669db609e7c9f39f654406e15a97e29a160cb27b1

                  SHA512

                  b2dc51289873da7fb3d8b99f68ca1d7e8eb627f14b8c5d81c702430c91ea19b9f7b127024745cfcebf0270db1d005504867bb39ed306cad55304ebf3a7f1f730

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\625a154e-2df8-4f70-bbf0-b28188669def.vbs
                  Filesize

                  731B

                  MD5

                  7150d881fb1230540349fd7037a20cf8

                  SHA1

                  3e9ab3e9352f99b6da4c5a3b1fe9405285d0372e

                  SHA256

                  638721f6bde24b8466d26771e202e06d1bab02ca30c1b5aadc995e04257a1bc7

                  SHA512

                  0250d5bd7fa40e94251050a2de4f43442950e3310c9ac045053daea2d29fb000612b6e1360a4d95f61de8328757377ee32c5539712e8bfe4dc7db8f4e76550fb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\DgHlPzdV8W.bat
                  Filesize

                  220B

                  MD5

                  516e0379d552c14cff58136b1869ff9c

                  SHA1

                  ded85201731885a80142baddcf6afd442b656bd0

                  SHA256

                  f4816f5be257965f12f9ffaaca027d2c1691d88d3073e4236d8166bf17d27a9c

                  SHA512

                  284ac29ad7b6be726a6c3adc462308fc05eca525754dc5e7981cbd9f8842c8e810eb2b721d0634dad42d9b4dfc8d8f7b98f305ec22b0f327b3dcdb4c9fd0c36e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgkqgcbb.zdr.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\d25f591a00514bc9ba8441\RuntimeBroker.exe
                  Filesize

                  1.6MB

                  MD5

                  dce6e93462ca0a252bc12eeb2acaeaf7

                  SHA1

                  24c8bf2e101cdff0b55befeae1ff2bc9405fab73

                  SHA256

                  1551e044ea57412774ba942046d69aa1339c578481e81f61e1a6b06c668fd163

                  SHA512

                  6e76ead1993169df6c0ea65e8071559ec14e509c530170481e96f35019c8dae3b6d12e2041003508702fc4e44d4b345c233d35cc7a98085816e6f110f4ff7232

                  Download Submit

                • C:\d25f591a00514bc9ba8441\lsass.exe
                  Filesize

                  1.6MB

                  MD5

                  7fbf8edad5e2e1fafc2390e4e4ce0a52

                  SHA1

                  cfa445b715fcd89d287b6f5f0b7ca0e48a52fe66

                  SHA256

                  91fbfc3b231ea4f6e7fb7d61e95b343dc3006b9c0bc0bfb108cd07d2eab597e7

                  SHA512

                  3d3877b74ada7513b78220caa81dd47f0bb50ad934a9da420b6fc02c242f2d4f0140a1b04705db7baf71e50d54de78e22f80abfb51a6138528ee008930a5f62a

                  Download Submit

                • memory/1612-16-0x000000001BAC0000-0x000000001BACA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1612-3-0x000000001B0E0000-0x000000001B0FC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/1612-4-0x000000001B150000-0x000000001B1A0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/1612-8-0x000000001B130000-0x000000001B140000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1612-10-0x000000001B1A0000-0x000000001B1AC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1612-161-0x00007FF99BB80000-0x00007FF99C641000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1612-17-0x000000001BAD0000-0x000000001BADC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1612-5-0x00000000027E0000-0x00000000027F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1612-6-0x000000001B100000-0x000000001B116000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/1612-7-0x000000001B120000-0x000000001B128000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1612-0-0x00007FF99BB83000-0x00007FF99BB85000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1612-2-0x00007FF99BB80000-0x00007FF99C641000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1612-9-0x000000001B140000-0x000000001B148000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1612-14-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1612-1-0x0000000000430000-0x00000000005D2000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/1612-15-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1612-13-0x000000001BA90000-0x000000001BA9E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1612-12-0x000000001BA80000-0x000000001BA8A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1612-11-0x000000001BA70000-0x000000001BA7C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/5052-155-0x000002296B370000-0x000002296B392000-memory.dmp

                  Filesize

                  136KB

                  Download