Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 23:01

General

  • Target

    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe

  • Size

    1.2MB

  • MD5

    7b05cf7f9e8162f55d50f10f711df29a

  • SHA1

    6c077351d11f6069067d69b6ece6d0989e972c99

  • SHA256

    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

  • SHA512

    275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

  • SSDEEP

    24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables containing bas64 encoded gzip files 11 IoCs
  • Detects executables packed with SmartAssembly 7 IoCs
  • Executes dropped EXE 15 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
    "C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2204
    • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
      "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:928
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6005f989-f7a9-4055-819d-977900273d66.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
          "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2804
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba96d3d6-50a6-4b08-af82-7eddc7691df5.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
              "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2852
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07522d8d-6031-4b5b-950c-1a759d2e8288.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2696
                • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1760
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba27be3a-0622-468f-838b-88eef2bc92f6.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1632
                    • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                      "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                      10⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2148
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a607aa-d346-4672-9626-c059e84bcef7.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3064
                        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                          "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                          12⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:1712
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ba4346-0aba-4a22-89bc-0b33c7cca7d1.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2016
                            • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                              "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                              14⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2976
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cc0817e-acb1-4b5a-878e-4ece6bb99ffd.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2872
                                • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                  16⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:1664
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5168d97-7aaa-4218-8770-fbc36f5fafc7.vbs"
                                    17⤵
                                      PID:1472
                                      • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                        18⤵
                                        • UAC bypass
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:1648
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e07594-bdcd-4a6e-b15c-17bbfaa171e0.vbs"
                                          19⤵
                                            PID:1704
                                            • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                              "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                              20⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:2348
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4bc98f-1d37-461e-b4d7-ae9290da89a3.vbs"
                                                21⤵
                                                  PID:1940
                                                  • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                                    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                                    22⤵
                                                    • UAC bypass
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:2884
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11408965-a031-45a4-9ddd-1174e1951fa7.vbs"
                                                      23⤵
                                                        PID:2988
                                                        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                                          "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                                          24⤵
                                                          • UAC bypass
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:692
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cff87ea-880f-486c-83a2-108888155b08.vbs"
                                                            25⤵
                                                              PID:2484
                                                              • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                                                "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                                                26⤵
                                                                • UAC bypass
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:1688
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2b3ebf-d625-4c9b-9c61-4ad84d56c72c.vbs"
                                                                  27⤵
                                                                    PID:1384
                                                                    • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                                                      "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                                                      28⤵
                                                                      • UAC bypass
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:2660
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d54acb9-ea33-4fac-92c5-9957f249ba27.vbs"
                                                                        29⤵
                                                                          PID:928
                                                                          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
                                                                            "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
                                                                            30⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2632
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20cdbbdd-36ce-4ca2-b93d-286e19d97e79.vbs"
                                                                          29⤵
                                                                            PID:2060
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3aaada3-b943-4831-acbb-c0956fa2f593.vbs"
                                                                        27⤵
                                                                          PID:892
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fda90d4-8cfe-4d52-a897-85f577e3d378.vbs"
                                                                      25⤵
                                                                        PID:2736
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbf1ba91-215f-47b3-977d-57ab038a80a9.vbs"
                                                                    23⤵
                                                                      PID:1868
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d76cbd0-1849-47c9-9249-18e36dd297be.vbs"
                                                                  21⤵
                                                                    PID:2404
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5bcb7c6-d8b1-409f-81a9-466d7a016ec9.vbs"
                                                                19⤵
                                                                  PID:1632
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5e9975-a8cf-4f96-9267-bb709de46d0f.vbs"
                                                              17⤵
                                                                PID:2028
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1267f796-d6fc-438d-921f-1b587723bf4e.vbs"
                                                            15⤵
                                                              PID:2728
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef43f8ae-a172-4281-ad4f-32deec5a4441.vbs"
                                                          13⤵
                                                            PID:3012
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ffe88c-8757-45cb-afdb-9aab142937bc.vbs"
                                                        11⤵
                                                          PID:1772
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc9ecaf-5aae-4932-ba43-6c8497214311.vbs"
                                                      9⤵
                                                        PID:628
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8da6832-5614-47b8-8bfe-a24219509948.vbs"
                                                    7⤵
                                                      PID:2836
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5623b9b-fff1-4318-8815-fa267e3c2cb3.vbs"
                                                  5⤵
                                                    PID:552
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb895221-8cc4-4b74-8f2a-04e49e9174d7.vbs"
                                                3⤵
                                                  PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2808
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1524
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2528
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2020
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2472
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1616
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:3036
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1272
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1648
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1676
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2716
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2836
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:316
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2028
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:836
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1184
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2264
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2260
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:1688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:2088
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Creates scheduled task(s)
                                              PID:776

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe

                                              Filesize

                                              1.2MB

                                              MD5

                                              ab847f6f56089b43846bfdab2d546973

                                              SHA1

                                              e3687c95196a50e36952454992f9b2caf40437e9

                                              SHA256

                                              c8c8cc6c7204e50535670740a1a5e91aa63c1c72e6bb61ecc727ed6f3f776f8d

                                              SHA512

                                              db450dbf6bbee41df459cd7a37dfb740a602064e5559b0af66c6334ec67052963759cd7fdf75b31f9cf71e797a5bc7186fa2dd0d6c77804e0f9d141cd7e47a10

                                            • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe

                                              Filesize

                                              1.2MB

                                              MD5

                                              7b05cf7f9e8162f55d50f10f711df29a

                                              SHA1

                                              6c077351d11f6069067d69b6ece6d0989e972c99

                                              SHA256

                                              7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

                                              SHA512

                                              275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

                                            • C:\Users\Admin\AppData\Local\Temp\07522d8d-6031-4b5b-950c-1a759d2e8288.vbs

                                              Filesize

                                              761B

                                              MD5

                                              715d0544bbb8eaca9bdccfa03b5143e7

                                              SHA1

                                              5624a678fc68cc1a9d636f25a455f6f66ea7ccea

                                              SHA256

                                              abd58ae25c40c288cace17553e97b72e1311161d47b2d08d2498c5f518520da2

                                              SHA512

                                              4c3ee1ae2120d20d5f796cb9f7b000f3316e31147e5cc996952f89cb766f922e289d0e48696828b081c403a5c04ea92f171bee88558aa72dd0ddd661c29ce343

                                            • C:\Users\Admin\AppData\Local\Temp\0cc0817e-acb1-4b5a-878e-4ece6bb99ffd.vbs

                                              Filesize

                                              761B

                                              MD5

                                              c2c1e88dedc126c8adf047c557d21be5

                                              SHA1

                                              d5019e7ae7ec64d815cc03165aedde85b613739b

                                              SHA256

                                              b8f5b03e7320edb988d76fb8cdc9d04ea23ea81334ef9ba336e32f90573696cf

                                              SHA512

                                              5c7f4946eaef2655cb3652f4d15def37881ed1b6a06dd9f9ac035ebb2bf2aee8fd39d5f69fc4cbd2be6a659de586d812104e151da798757c9b1c1eb9371b5216

                                            • C:\Users\Admin\AppData\Local\Temp\11408965-a031-45a4-9ddd-1174e1951fa7.vbs

                                              Filesize

                                              761B

                                              MD5

                                              b0cbf2648c4063c3240ad614d8a28c5a

                                              SHA1

                                              ccf3a5606cd18e27181dfe7e915b6b02e33a8ad4

                                              SHA256

                                              fbbe3f330b925376016d4baf833bc2cc1db6e55c7bc9780663f9840ffca96bb9

                                              SHA512

                                              cfbf0fad67d1210ace6b61410fdcb9b12846877c1284684b717b604ed94d9f81f26f4b916d29a4ebe5eaba2156d897950d19fb0b06b4c686def8daab92fbb754

                                            • C:\Users\Admin\AppData\Local\Temp\15ba4346-0aba-4a22-89bc-0b33c7cca7d1.vbs

                                              Filesize

                                              761B

                                              MD5

                                              5e0218baa47a2901ba134c328505f9e3

                                              SHA1

                                              2bb64ee2f73d053080274392db8fb0350acdbb06

                                              SHA256

                                              4be23cbdc0c9958d5a96484b97cbffea1b977c9ef5f7c9624228bc571f6416ce

                                              SHA512

                                              da69b3189f8fdd61fc1d30dd36515324127f75151b47753ba8efd8beea764ce3f2c2bf480e8c1e589fc9c4cc05ebb2aed130973e7066a9b4a36afbbb3faa99ee

                                            • C:\Users\Admin\AppData\Local\Temp\25a607aa-d346-4672-9626-c059e84bcef7.vbs

                                              Filesize

                                              761B

                                              MD5

                                              bbf2c6d6f0892434046c6ffd8ecefaa5

                                              SHA1

                                              9d631090e7841fd01bf971cbcb63c71294083d6e

                                              SHA256

                                              ff776fb5343a99b17d1ffe31cde8d3cb1726f3ca7853dc4d4a6931d8973cc75d

                                              SHA512

                                              b52a6e28875ad46ad2cf634c95b09660effef73ee4658b65385f92c054f47dcfe09c76ab4e5ba078c01d7528543e9ef6db4cd1579ddc72345899427368e396af

                                            • C:\Users\Admin\AppData\Local\Temp\47e07594-bdcd-4a6e-b15c-17bbfaa171e0.vbs

                                              Filesize

                                              761B

                                              MD5

                                              5aecee3885808d1bf02339513168d038

                                              SHA1

                                              fc3bbbefc2972ab5faa21d6e947e5f092ccf5104

                                              SHA256

                                              7de6ee9ba05eb99e46ba6bf7b21946f7d748a66389b8d578a54f85a227c90da0

                                              SHA512

                                              bb8583b4a2206441cfe0b88b0e5007f60cea66893b1fe2d4f5f10301e9cdf86ed852635773e8c4d1428a6fbe273651d4ca754f353538e537856e587f1c8d183d

                                            • C:\Users\Admin\AppData\Local\Temp\6005f989-f7a9-4055-819d-977900273d66.vbs

                                              Filesize

                                              760B

                                              MD5

                                              f202e66b3cdfafad2ed7cf973a0105d3

                                              SHA1

                                              4dd3bbc884871ee944da3a8e8e4cfe0f43c3890b

                                              SHA256

                                              14d4d26a32c02770051d68c542dfb6cee97fa621decdf359e598c109fbee1f6e

                                              SHA512

                                              abc49dce47394cdafc04f67b16ddcbdc4bb18de952b74d88adac48d1b0fe6b4661a7dc0c4d0557c4731273edad9294058b106be3e612ed845d9453812f6f3400

                                            • C:\Users\Admin\AppData\Local\Temp\8d54acb9-ea33-4fac-92c5-9957f249ba27.vbs

                                              Filesize

                                              761B

                                              MD5

                                              3c7eb0fddd49c75da89865e9f1c7160c

                                              SHA1

                                              9ca5095f1334b1b2645b0b54dac4452ad77bc2e4

                                              SHA256

                                              d9bdb1827b3b3376ec8bf19fe7cf3cf7a55c66a50b6202b69443f72354adecea

                                              SHA512

                                              f1d4849948958ae22dad0582e2ee70b4e34767667065b4f872afe54418c290a4de72e3d10ff986544a2244e2a08dfc45a212da88196c1fbe23950c28278e587d

                                            • C:\Users\Admin\AppData\Local\Temp\9cff87ea-880f-486c-83a2-108888155b08.vbs

                                              Filesize

                                              760B

                                              MD5

                                              4d2b63e9b0e8d85831f24f87a1842014

                                              SHA1

                                              c3db2597478f939e3d6073cd9fbaa5f7a7332922

                                              SHA256

                                              ec74b48780bce6602b712f7acea271a10d1aba12f0046cc395714d8c36aeeff8

                                              SHA512

                                              1cee5b6f0fa0401c00c3579f96c49c3636dec7661ce821c30202bf46f87a8479de511e79f41ce85ff0c4f1acf149b07f6d05531b9f9061cde881fc6bc9953c87

                                            • C:\Users\Admin\AppData\Local\Temp\ac2b3ebf-d625-4c9b-9c61-4ad84d56c72c.vbs

                                              Filesize

                                              761B

                                              MD5

                                              7a96a1ae0c59741c8a5a334ab66064cd

                                              SHA1

                                              0533f84c64330144dda9a341ce9a8986d0c627b2

                                              SHA256

                                              f8d9e1e3e6b8d4b95024c7d19ffbbbab2cd991c1e94855dfdeacca98c62ba8fb

                                              SHA512

                                              a68d827e54c4414f59eca2b52a6cb29bdbc021e766fffe16321015c4ce98ad854d283785e76013d27ccf1769246de6dd71aed07ec5a800b99aced0a6b96860ab

                                            • C:\Users\Admin\AppData\Local\Temp\ba27be3a-0622-468f-838b-88eef2bc92f6.vbs

                                              Filesize

                                              761B

                                              MD5

                                              aaa969ac0cd09473f1eb5bef6da6d29d

                                              SHA1

                                              e1e1f8c09ffb3355a676248e5d0c252c65c23ade

                                              SHA256

                                              b71fde81a0dc0b5fe9b7a19d23e3860355e1793c892ee3084f3b0a938cdbb53e

                                              SHA512

                                              e343da1c2ed7444ba62cb7662403949e38db7d2cd1ee2ff0d116ffe6bb9a55c578efb25032ccab367702bcdc9850868c5c6ac17e8578d05f17e39e70304e531a

                                            • C:\Users\Admin\AppData\Local\Temp\ba96d3d6-50a6-4b08-af82-7eddc7691df5.vbs

                                              Filesize

                                              761B

                                              MD5

                                              044a06fc903c929e86777b8ebbeb5ffb

                                              SHA1

                                              02c0161bed0f2461637c980e93a623c703ed0e83

                                              SHA256

                                              c3355dfab9bc4e1735450f4238e036b2afcd6f2b78f9ebde3b42b2c2c88a9c96

                                              SHA512

                                              53a4c1419d43ce4b44d362de91d52f56b9ec09e47028e05f2b06bdfdf7c7fb776d8dac84fae53d352aaad490a82978837a87d8233cf78d345fa90bf793e34e63

                                            • C:\Users\Admin\AppData\Local\Temp\cb895221-8cc4-4b74-8f2a-04e49e9174d7.vbs

                                              Filesize

                                              537B

                                              MD5

                                              14917d3fe5bafe470dd0e0c9e5f616bf

                                              SHA1

                                              7a2650084c6d1c9dbd1b7a9fc7939e2608bc05cd

                                              SHA256

                                              a47ffb174650a7c570727277f79c9e946d2cbbc7955b4b595c8ee4c87d824aa3

                                              SHA512

                                              c98e921749bae148c4fe20e27e72325bfeb8f5f4e358d2cebbe611d0135ee7e8dfac38498dd2bd3bd672fcc2ee05c58a82ff02152f1bbd6f361ec42144c6844c

                                            • C:\Users\Admin\AppData\Local\Temp\e5168d97-7aaa-4218-8770-fbc36f5fafc7.vbs

                                              Filesize

                                              761B

                                              MD5

                                              17927551d5ebd705e83d7bb796d1c0fe

                                              SHA1

                                              f1f79013bb0900bffbc91666eb569777da573fad

                                              SHA256

                                              f65c8c0cb113a2c61be29f640840b0bc8811df6079a05f81be409ce0bba58613

                                              SHA512

                                              5a335e4257a6f2697fb6e5e2e439d3911149f9710ce0013ab666907d5aae8b834c01a39bcecd09bd9382f4c745f603f5ff27197ce30983ecd4633d1ca88ed1c6

                                            • C:\Users\Admin\AppData\Local\Temp\fd4bc98f-1d37-461e-b4d7-ae9290da89a3.vbs

                                              Filesize

                                              761B

                                              MD5

                                              76111bb744cb6d49ae4cf05dc7c00b0f

                                              SHA1

                                              329702f1b4f163a761f578a0706985c288ca0ce1

                                              SHA256

                                              851928a7a3ee5694729b0c7e960ed83cf4ed5b5853f3ed9a7cfbcc127262f565

                                              SHA512

                                              82f5cb505b484fea96ac28f142440992233efba3081eb658d350c20de42f1cce9eeceaee786db7e9e323970633733d4a0982455b2c1238c4179cb5a539d9dfb4

                                            • memory/692-252-0x0000000000870000-0x00000000009AA000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/928-125-0x0000000000EF0000-0x000000000102A000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/1688-264-0x0000000001140000-0x000000000127A000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/1760-160-0x0000000001210000-0x000000000134A000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2148-172-0x0000000001240000-0x000000000137A000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2204-17-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2204-1-0x0000000001060000-0x000000000119A000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2204-126-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2204-6-0x0000000000590000-0x00000000005A6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/2204-20-0x0000000000B20000-0x0000000000B2C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2204-8-0x00000000005B0000-0x00000000005BA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2204-19-0x0000000000B10000-0x0000000000B1A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2204-5-0x0000000000460000-0x0000000000470000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2204-18-0x0000000000B00000-0x0000000000B08000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2204-7-0x0000000000470000-0x0000000000478000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2204-16-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2204-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2204-3-0x0000000000440000-0x000000000045C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/2204-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2204-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2204-15-0x0000000000630000-0x000000000063A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2204-14-0x0000000000620000-0x0000000000628000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2204-13-0x0000000000610000-0x000000000061C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2204-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2204-4-0x0000000000240000-0x0000000000248000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2204-12-0x0000000000600000-0x000000000060C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2204-11-0x00000000005F0000-0x00000000005F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2804-137-0x0000000000F90000-0x00000000010CA000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2884-240-0x0000000000130000-0x000000000026A000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2976-195-0x00000000013D0000-0x000000000150A000-memory.dmp

                                              Filesize

                                              1.2MB