Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 01:25

General

  • Target

    NEAS.f83148f181f138db59182790125e3550.exe

  • Size

    1.1MB

  • MD5

    f83148f181f138db59182790125e3550

  • SHA1

    59af834bd5049062d03068977b90fdd60ab75516

  • SHA256

    8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

  • SHA512

    fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

  • SSDEEP

    24576:aADdteLS1VO6wLVqq0aJSw69voIN7y7Di0:8E86MVX/SwHmf

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hy3B39XMXx.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4892
        • C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe
          "C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Users\All Users\Templates\winlogon.exe
            "C:\Users\All Users\Templates\winlogon.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3688
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045eca76-3656-471f-b030-849723d4466a.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4840
              • C:\Users\All Users\Templates\winlogon.exe
                "C:\Users\All Users\Templates\winlogon.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2912
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b7fce0-ff84-4cf9-88e0-a29b4068b307.vbs"
                  7⤵
                    PID:2024
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs"
                    7⤵
                      PID:4500
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\308aa1bf-4cf9-4895-9303-d003053bda0d.vbs"
                  5⤵
                    PID:3708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:3996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2344
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\VGX\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:2932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:1708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2012
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:1924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4220
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:664
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:4712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:3288
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:4996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:4660
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3724
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:3144
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:4112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2312
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:756
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5012
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:1340
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:1588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:3840
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:2068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1840
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:264
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:4196
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:2188
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:2376
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1216
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1504
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3220
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:5064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:4364
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:3656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:1444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
            1⤵
              PID:1432
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /f
              1⤵
              • Creates scheduled task(s)
              PID:884
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:4324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
              1⤵
                PID:3676
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
                1⤵
                • Creates scheduled task(s)
                PID:4424
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                1⤵
                • Creates scheduled task(s)
                PID:1784
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
                1⤵
                • Creates scheduled task(s)
                PID:4872
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /f
                1⤵
                • Creates scheduled task(s)
                PID:5012
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                1⤵
                • Creates scheduled task(s)
                PID:460
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                1⤵
                • Creates scheduled task(s)
                PID:1588
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /f
                1⤵
                  PID:964
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:3384
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:2332
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /f
                  1⤵
                    PID:228
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f
                    1⤵
                    • Creates scheduled task(s)
                    PID:632
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f
                    1⤵
                    • Creates scheduled task(s)
                    PID:4940
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /f
                    1⤵
                      PID:1840
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
                      1⤵
                      • Creates scheduled task(s)
                      PID:3100
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
                      1⤵
                        PID:4864
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /f
                        1⤵
                        • Creates scheduled task(s)
                        PID:452
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /rl HIGHEST /f
                        1⤵
                        • Creates scheduled task(s)
                        PID:864
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\unsecapp.exe'" /rl HIGHEST /f
                        1⤵
                        • Creates scheduled task(s)
                        PID:1668

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files (x86)\Common Files\Services\spoolsv.exe

                              Filesize

                              1.1MB

                              MD5

                              6ddfc9054ea9ffff277554a16756c662

                              SHA1

                              7b82b617a47af48ed60f81d8445818cf01adffa8

                              SHA256

                              4b776022e8622d4142ad3d70399bc24a759ee8eb7a76ab061666f3062c345ff9

                              SHA512

                              c3da51a54a989f2e1ba866595ed6db4f1232a578e0c502c85d0b76392045fa2a997ce33d579c1755fb2af5c750155ecee0ba7f06c5aaf5f8c41a2829a5b67c4a

                            • C:\ProgramData\Microsoft\Windows\Templates\winlogon.exe

                              Filesize

                              1.1MB

                              MD5

                              f83148f181f138db59182790125e3550

                              SHA1

                              59af834bd5049062d03068977b90fdd60ab75516

                              SHA256

                              8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                              SHA512

                              fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                            • C:\ProgramData\Microsoft\Windows\Templates\winlogon.exe

                              Filesize

                              1.1MB

                              MD5

                              f83148f181f138db59182790125e3550

                              SHA1

                              59af834bd5049062d03068977b90fdd60ab75516

                              SHA256

                              8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                              SHA512

                              fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                            • C:\Recovery\WindowsRE\dwm.exe

                              Filesize

                              1.1MB

                              MD5

                              f83148f181f138db59182790125e3550

                              SHA1

                              59af834bd5049062d03068977b90fdd60ab75516

                              SHA256

                              8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                              SHA512

                              fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.f83148f181f138db59182790125e3550.exe.log

                              Filesize

                              1KB

                              MD5

                              bbb951a34b516b66451218a3ec3b0ae1

                              SHA1

                              7393835a2476ae655916e0a9687eeaba3ee876e9

                              SHA256

                              eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                              SHA512

                              63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

                              Filesize

                              1KB

                              MD5

                              4a667f150a4d1d02f53a9f24d89d53d1

                              SHA1

                              306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                              SHA256

                              414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                              SHA512

                              4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                            • C:\Users\Admin\AppData\Local\Temp\045eca76-3656-471f-b030-849723d4466a.vbs

                              Filesize

                              717B

                              MD5

                              a737bd76933023857186c6582db2c58d

                              SHA1

                              fcb0b8e92eb281c16b5f6f77e4c787ab60700575

                              SHA256

                              7b63e91a06544d9e6336a34ae231a5351f79b24c0fa3bc9598aaff1ff885c03a

                              SHA512

                              a862df8dea0a5f88a2e769f1d3acffdca78471681f996dfedc27c706b89367ea5e751e4d288b4fb5cacf0cf59377b51668c8cd5a90bee843ad882ce8c94e76aa

                            • C:\Users\Admin\AppData\Local\Temp\308aa1bf-4cf9-4895-9303-d003053bda0d.vbs

                              Filesize

                              493B

                              MD5

                              ee45689b45f8e8ed747675f74714619f

                              SHA1

                              1aef6412163004574cdeda35002ec5f0283b4f51

                              SHA256

                              df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9

                              SHA512

                              d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639

                            • C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs

                              Filesize

                              493B

                              MD5

                              ee45689b45f8e8ed747675f74714619f

                              SHA1

                              1aef6412163004574cdeda35002ec5f0283b4f51

                              SHA256

                              df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9

                              SHA512

                              d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639

                            • C:\Users\Admin\AppData\Local\Temp\47999871-8ad1-4ce1-bce8-9653152f8f95.vbs

                              Filesize

                              493B

                              MD5

                              ee45689b45f8e8ed747675f74714619f

                              SHA1

                              1aef6412163004574cdeda35002ec5f0283b4f51

                              SHA256

                              df0e1e59f43be1f887487e8e74fd3344038aa52bc14aa25e2cfbd55fb594bac9

                              SHA512

                              d7499149fee49fa16c83ab5495fa73ebaeb4508727f6fda6d29ccb788777d7eaddea295780e8a9ccace91508b8a00efd6209c5389d43d033fa6d399eafd99639

                            • C:\Users\Admin\AppData\Local\Temp\53b7fce0-ff84-4cf9-88e0-a29b4068b307.vbs

                              Filesize

                              717B

                              MD5

                              bed10a4892c94be5dc10200860828574

                              SHA1

                              8a49545fbf6c404e6d40a9aae2663c0bbaaebf3b

                              SHA256

                              695cd59cceb324bc5c7526d7ca3193eb8db8f1c70ad7c748ffc4442a93dcd300

                              SHA512

                              0876828d374820e864b4c5118d2157846868c510117290fca7334547f545ad1fc6348d9dedbb64786031c0d5c7e574a8b22d64c5364f011461815ca066a41e7b

                            • C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe

                              Filesize

                              1.1MB

                              MD5

                              f83148f181f138db59182790125e3550

                              SHA1

                              59af834bd5049062d03068977b90fdd60ab75516

                              SHA256

                              8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                              SHA512

                              fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                            • C:\Users\Admin\AppData\Local\Temp\f8901282d4c602a9b5b95cb5aeb411efc3b72249.exe

                              Filesize

                              1.1MB

                              MD5

                              f83148f181f138db59182790125e3550

                              SHA1

                              59af834bd5049062d03068977b90fdd60ab75516

                              SHA256

                              8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                              SHA512

                              fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                            • C:\Users\Admin\AppData\Local\Temp\hy3B39XMXx.bat

                              Filesize

                              240B

                              MD5

                              1cd7354c734be69a69312893e8a02f18

                              SHA1

                              a56dbe7cec5245ea240328db2d155bc365940b2e

                              SHA256

                              27036f9fa3e734ece23d4f3e51c27d4bd400038a45d11c321a8d3a7acea4eca8

                              SHA512

                              01919527515fab735755146c38decf92b5e113aefd96c926d99ea410c3d32eab010963d5043b5ecbe171e119b362b4b87c3b5d5bcbc7bcbea75d310877c1c2d3

                            • C:\Users\All Users\Templates\winlogon.exe

                              Filesize

                              1.1MB

                              MD5

                              f83148f181f138db59182790125e3550

                              SHA1

                              59af834bd5049062d03068977b90fdd60ab75516

                              SHA256

                              8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                              SHA512

                              fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                            • C:\Users\Default\Music\RCXC159.tmp

                              Filesize

                              1.1MB

                              MD5

                              34fe4f639ea17809e3bf767cf63a62d0

                              SHA1

                              f3067d86855f145be7b8ca5df2653b6c9499d240

                              SHA256

                              f66342e64f9689d5d7fbab44a39880caeeb881e6be35ced12212d9a2b03f8f27

                              SHA512

                              cd0b04b69a462121479cc3cf711942346d2191f06947ee76230c6afb8240ad4bd95a4c48029b30819ecab04fe53fe8a44b2ae807b46560ee607d7b6bd183b9a0

                            • C:\odt\9e8d7a4ca61bd9

                              Filesize

                              406B

                              MD5

                              aa423de80de419ded78a7d1f10acd15d

                              SHA1

                              fd6ca3be8a2825a21aeec9001c71e1102089ffe3

                              SHA256

                              931e2ee9e20e6ad9f23a4737fe2e5c6a3d8f82560d52bb7301c8e5cf162211ad

                              SHA512

                              3a7fe91420d9307828d207551cbcd929f18402c51f1c32fa8df4b8da64dcf14abdfc7206616b83a523874c3bbecb0e092d301f0c20cca714b9b4b0b1d408fe60

                            • memory/2912-318-0x00007FFCF9D80000-0x00007FFCFA841000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/2912-320-0x000000001B800000-0x000000001B812000-memory.dmp

                              Filesize

                              72KB

                            • memory/2912-333-0x00007FFCF9D80000-0x00007FFCFA841000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/2912-332-0x000000001B050000-0x000000001B060000-memory.dmp

                              Filesize

                              64KB

                            • memory/2912-319-0x000000001B050000-0x000000001B060000-memory.dmp

                              Filesize

                              64KB

                            • memory/2912-331-0x00007FFCF9D80000-0x00007FFCFA841000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3032-4-0x000000001BC40000-0x000000001BC90000-memory.dmp

                              Filesize

                              320KB

                            • memory/3032-181-0x00007FFCFA4C0000-0x00007FFCFAF81000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3032-3-0x000000001B350000-0x000000001B36C000-memory.dmp

                              Filesize

                              112KB

                            • memory/3032-0-0x0000000000730000-0x000000000085C000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/3032-5-0x000000001B370000-0x000000001B380000-memory.dmp

                              Filesize

                              64KB

                            • memory/3032-6-0x000000001B3A0000-0x000000001B3B6000-memory.dmp

                              Filesize

                              88KB

                            • memory/3032-7-0x000000001B380000-0x000000001B392000-memory.dmp

                              Filesize

                              72KB

                            • memory/3032-9-0x000000001BBF0000-0x000000001BBFA000-memory.dmp

                              Filesize

                              40KB

                            • memory/3032-10-0x000000001BC00000-0x000000001BC0E000-memory.dmp

                              Filesize

                              56KB

                            • memory/3032-2-0x000000001B390000-0x000000001B3A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3032-1-0x00007FFCFA4C0000-0x00007FFCFAF81000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3032-8-0x000000001C420000-0x000000001C948000-memory.dmp

                              Filesize

                              5.2MB

                            • memory/3688-312-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3688-315-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/3688-313-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3688-302-0x000000001B820000-0x000000001B832000-memory.dmp

                              Filesize

                              72KB

                            • memory/3688-300-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3688-299-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/4964-185-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4964-298-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4964-301-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/4964-234-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/4964-184-0x00007FFCF9D10000-0x00007FFCFA7D1000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/4964-186-0x0000000003050000-0x0000000003062000-memory.dmp

                              Filesize

                              72KB