Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 23:01

General

  • Target

    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe

  • Size

    1.2MB

  • MD5

    7b05cf7f9e8162f55d50f10f711df29a

  • SHA1

    6c077351d11f6069067d69b6ece6d0989e972c99

  • SHA256

    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

  • SHA512

    275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

  • SSDEEP

    24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables containing bas64 encoded gzip files 3 IoCs
  • Detects executables packed with SmartAssembly 7 IoCs
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
    "C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4624
        • C:\Users\Default User\csrss.exe
          "C:\Users\Default User\csrss.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2300
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a414dbf-5397-4f4f-ada3-ecb35aa923c2.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3232
            • C:\Users\Default User\csrss.exe
              "C:\Users\Default User\csrss.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1412
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22d16109-f7a0-483b-ade4-9363da0fa9eb.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2172
                • C:\Users\Default User\csrss.exe
                  "C:\Users\Default User\csrss.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5076
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529b3577-5c0e-4203-845b-d7ed70a8dcdb.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1908
                    • C:\Users\Default User\csrss.exe
                      "C:\Users\Default User\csrss.exe"
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:1084
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14533410-8406-4b29-a6b4-d838ab77bfb2.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1652
                        • C:\Users\Default User\csrss.exe
                          "C:\Users\Default User\csrss.exe"
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:4648
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5887cac0-59f8-489c-b4e8-4b6b9901f767.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:408
                            • C:\Users\Default User\csrss.exe
                              "C:\Users\Default User\csrss.exe"
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:4432
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0582d10-13c4-487f-82f4-0a8ecf98c2e6.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1408
                                • C:\Users\Default User\csrss.exe
                                  "C:\Users\Default User\csrss.exe"
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:5096
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec20a89-3ef5-426c-a6be-f3c98ca40f24.vbs"
                                    16⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3064
                                    • C:\Users\Default User\csrss.exe
                                      "C:\Users\Default User\csrss.exe"
                                      17⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:1456
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb9962c6-39f1-45e4-aee9-c7e531c1eb0f.vbs"
                                        18⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4972
                                        • C:\Users\Default User\csrss.exe
                                          "C:\Users\Default User\csrss.exe"
                                          19⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:5076
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47d627c-466e-481b-beee-5602e2f50c7b.vbs"
                                            20⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3068
                                            • C:\Users\Default User\csrss.exe
                                              "C:\Users\Default User\csrss.exe"
                                              21⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              • System policy modification
                                              PID:1840
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded2a714-455c-45a0-ab48-25c38291836a.vbs"
                                                22⤵
                                                  PID:4572
                                                  • C:\Users\Default User\csrss.exe
                                                    "C:\Users\Default User\csrss.exe"
                                                    23⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:4172
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80764739-2eb7-4efe-a493-e651a4d57895.vbs"
                                                      24⤵
                                                        PID:3668
                                                        • C:\Users\Default User\csrss.exe
                                                          "C:\Users\Default User\csrss.exe"
                                                          25⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:3500
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a80b62-b432-476e-bbd4-d66a7a7ea57e.vbs"
                                                            26⤵
                                                              PID:2920
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b421495f-0eb6-4ffe-87a5-e948ea68b4c3.vbs"
                                                              26⤵
                                                                PID:4732
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8088d221-530a-4424-b184-73252730254a.vbs"
                                                            24⤵
                                                              PID:4640
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4257a2a3-fedf-429e-8f4e-1db5cb67ca44.vbs"
                                                          22⤵
                                                            PID:5064
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836fc1bf-da27-4752-bbed-0c0ab2d2f02e.vbs"
                                                        20⤵
                                                          PID:3204
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24b5478f-0f66-46ae-b555-990933997449.vbs"
                                                      18⤵
                                                        PID:4832
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2042511e-12dc-49ec-a5ff-9bdddd0f69b2.vbs"
                                                    16⤵
                                                      PID:712
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c95c64a-4174-4d5a-af47-fbe8253ec2af.vbs"
                                                  14⤵
                                                    PID:5028
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3568498-3830-4a29-9a4a-d1203feb1f5d.vbs"
                                                12⤵
                                                  PID:2312
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd2ea87-fd2c-4f87-8b5c-e582763e9efb.vbs"
                                              10⤵
                                                PID:1756
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\835fb278-9e33-4414-980e-e6b934b69418.vbs"
                                            8⤵
                                              PID:3272
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8be459a-9e03-4b0d-a677-6fb17dd96bc8.vbs"
                                          6⤵
                                            PID:3344
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\722535dd-9925-443a-b2bc-e0803ad07851.vbs"
                                        4⤵
                                          PID:2376
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\System\RuntimeBroker.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1748
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4712
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3060
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2776
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3720
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:400
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:5028
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4848
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1416
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3612
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1916
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1584
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\explorer.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2060
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:5092
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2376
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1752
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2476
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:876
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4232
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3020
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3368
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4600
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4732
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:880
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4920
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1040
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4060
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4656
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1536
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2424
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\lsass.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2920
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\InputMethod\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4080
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2548
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3924
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3228
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2624
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:216
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1576
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2620
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2500
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3248
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1012
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1028
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4692
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3320

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                                    Filesize

                                    1KB

                                    MD5

                                    3690a1c3b695227a38625dcf27bd6dac

                                    SHA1

                                    c2ed91e98b120681182904fa2c7cd504e5c4b2f5

                                    SHA256

                                    2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

                                    SHA512

                                    15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

                                  • C:\Users\Admin\AppData\Local\Temp\14533410-8406-4b29-a6b4-d838ab77bfb2.vbs

                                    Filesize

                                    707B

                                    MD5

                                    3da8c8ea3548ee67987baf091ad2c927

                                    SHA1

                                    1b687951804055b5563ca0956ac25e1e9a75f65d

                                    SHA256

                                    1e7f0123c3e269d73506d24e9ab2ed47096d2953fbb33839aced58b4bce0caec

                                    SHA512

                                    2996a3b9ea60929f2a7410f635f038b895a172f8e13da6f3c7e9d4de6e3ce7f03632b9d2e8a6d82f160174648e8715e4d057226b2b978e94e6c7020b98ba4f56

                                  • C:\Users\Admin\AppData\Local\Temp\22d16109-f7a0-483b-ade4-9363da0fa9eb.vbs

                                    Filesize

                                    707B

                                    MD5

                                    3b21a7bcc81df4ddd61a068c1f70c128

                                    SHA1

                                    bcdcc360847a0b8f15629e8ed570318fe4d35673

                                    SHA256

                                    42c9a425c643686175e9b27e548397f7deb718d3911bbb450e670dfbc75cdbe2

                                    SHA512

                                    274ba46a801d0e9b1a5e170104b9a4dcaa06ce78b27734ce6fb8363926aaab5ad302cb3d2b10cadad79ec7220880be74397ded723798718355bbe03fe5e3f26a

                                  • C:\Users\Admin\AppData\Local\Temp\30a80b62-b432-476e-bbd4-d66a7a7ea57e.vbs

                                    Filesize

                                    707B

                                    MD5

                                    d151ec444fabedc36bd92648c1fbf193

                                    SHA1

                                    6e9f79b969fe4984e84eaa9636c440feec0784e9

                                    SHA256

                                    537610dbeaae7752cdf6e1255589fd1f75d4b31bfad848c106cfbfa8914e8914

                                    SHA512

                                    1981fa1eefeffbbff18619fde00da102980517bf2e2f78b438a89ee8f69797c06f925c2dfb674ca95156694650663053124955598b610122afb85999a5af2875

                                  • C:\Users\Admin\AppData\Local\Temp\4a414dbf-5397-4f4f-ada3-ecb35aa923c2.vbs

                                    Filesize

                                    707B

                                    MD5

                                    db62752106a4f73f564ee4b3a1204d50

                                    SHA1

                                    a9485cc1fad524d7a52fa62d955c9969e4b1d167

                                    SHA256

                                    5296f64f797686f7452769d014e725a19ed2c59bda8c1ae819253ba7e2274f22

                                    SHA512

                                    5df0ae71e30cc990a662fbd8a6b5b94fdde6feadd4951e05e9dfa80b03de539f3b2335eb5295e30f3fe9c3a88b52089d374a8b58725138de904556808103fefd

                                  • C:\Users\Admin\AppData\Local\Temp\529b3577-5c0e-4203-845b-d7ed70a8dcdb.vbs

                                    Filesize

                                    707B

                                    MD5

                                    02420e1d1f242e38bbbb378337a68e79

                                    SHA1

                                    744827180e81574b464570c7f3eff6250a88d8b7

                                    SHA256

                                    345f67ae25bd73c54d999130aed785f92afe8516a075343e737b8cf3341b9da4

                                    SHA512

                                    11a1597cd3d1e42b1e6333da44526a1befd41f5eaf4abc71924a70a4a69b1fde366ba726c7716615751590de564dfe05c32a10cda6ef92087ba22a9152d769cc

                                  • C:\Users\Admin\AppData\Local\Temp\5887cac0-59f8-489c-b4e8-4b6b9901f767.vbs

                                    Filesize

                                    707B

                                    MD5

                                    a6fd7960f9bf2ab88268bd51b9a6adde

                                    SHA1

                                    276af1d427a107e13b37157296b0f69c60c992ac

                                    SHA256

                                    04cce6a52e3b93b7fa33d88ad3f41f1ffd77f8d1377bd6ab48397bfdf4f39805

                                    SHA512

                                    8a05278c15fcbda0268d293c66fc165502aedf4d8703ec135262e4e0ff6bb0cc5b45e81290ff2ec32a8cd4bf4cbeaf5bab1121689d10459a078c805ee36bbdb0

                                  • C:\Users\Admin\AppData\Local\Temp\722535dd-9925-443a-b2bc-e0803ad07851.vbs

                                    Filesize

                                    483B

                                    MD5

                                    dadd7644ea1ac1edebc7463665ff60b6

                                    SHA1

                                    e1f41ec30047e1e6fdcf74867877fe91deb9a714

                                    SHA256

                                    8200d743934c428bc853bed00c4b8980209211613721a94c258f0926d4a978ad

                                    SHA512

                                    44b643cbc9d7467d0cbfc07e48a63818a88b17fe35133bde2199ece37363731bd5f90b2e840ca1ded25c3b3ed34ecb509af348f0f313895090e743753293c439

                                  • C:\Users\Admin\AppData\Local\Temp\80764739-2eb7-4efe-a493-e651a4d57895.vbs

                                    Filesize

                                    707B

                                    MD5

                                    8e231ad69414d430476e0710a3175595

                                    SHA1

                                    82207712e2856310117b54d0e4761a130b96fca6

                                    SHA256

                                    8f4044a710d5782df828d5fe286c55fc6d8c09c3df7e62d0b10d5998d8375a71

                                    SHA512

                                    c66a8e3618628d6b32b916f33cc237d18341a4c8415ccc7b1662e6a87d96a2d389dcd9b57b85c4e4ac2aab9e3498a7886ee2995ee5b76f43d0c5d05c2ad5888a

                                  • C:\Users\Admin\AppData\Local\Temp\b0582d10-13c4-487f-82f4-0a8ecf98c2e6.vbs

                                    Filesize

                                    707B

                                    MD5

                                    495ec54a435532cf6bbecd4fc1550f8a

                                    SHA1

                                    cffc451b6d42bc71f18607d74b2492db80693850

                                    SHA256

                                    6582861e76aace85887b50fef82b37c06a93ecc0aaf0e227bce56f6854e40929

                                    SHA512

                                    960910ab83f2c6d18d2aea7163f79d37c52a7a59d6692bb76dd49d4754921e17b0331f5a2402ac9e5cae663f26e750956ed523f79b865b7337207be17ee7521a

                                  • C:\Users\Admin\AppData\Local\Temp\ded2a714-455c-45a0-ab48-25c38291836a.vbs

                                    Filesize

                                    707B

                                    MD5

                                    b476554b57652ac622431e2926b89bb4

                                    SHA1

                                    8703b6dd5379d2745a194c83b7bcb45763a1f27e

                                    SHA256

                                    3f9f8bf3dcb1a281017bf589620c5ec2e796c39dfeff4d29a9a9bda44f867ab4

                                    SHA512

                                    3218d7ff3292a33c5a125094f3a1f1521116bcc228c5aa6225a08d5d4a68c731d44bbbc607495ca499d8339fba55346f87d3dbcbdaf02b0dbb110a8ee63ee5a2

                                  • C:\Users\Admin\AppData\Local\Temp\eb9962c6-39f1-45e4-aee9-c7e531c1eb0f.vbs

                                    Filesize

                                    707B

                                    MD5

                                    6907344d060fb0ff26749cd9bea2271b

                                    SHA1

                                    22647b51ea0ab0e9c3d9aff71084135bad3041b1

                                    SHA256

                                    9392a254d2947e8f2a0e2c67aa7a28de0111919667367c0490956d8b7a9f7b31

                                    SHA512

                                    5dbc6cc62586111a171ea18e71b37dddd67f22666821a966bba2bc967eabd9b1028ebab8c5efefa2fc1d5fd13d69bdd10ecacaf013df5e857a3f47ff8c95e297

                                  • C:\Users\Admin\AppData\Local\Temp\fec20a89-3ef5-426c-a6be-f3c98ca40f24.vbs

                                    Filesize

                                    707B

                                    MD5

                                    bc8e7a00776d47e0a2ffab4d898ce324

                                    SHA1

                                    b0569291b1befe60117ae71058df51a7fb62d65a

                                    SHA256

                                    c68b8d8b0ed19385d3df374670fa52a3b4b90a0e61b892169d7230c7895c47d7

                                    SHA512

                                    0c88e19f2b5732bf41bca5ee38ed3a86b9446a6132780c81fe49f270fe27a0713aaa742b931b703149fa90eededc72e3a6a806f05338d49b37e5d068caabee07

                                  • C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat

                                    Filesize

                                    196B

                                    MD5

                                    d6c1b6c3152adc0d22c46836251ef924

                                    SHA1

                                    6ae9ae33f51e25400e4651c1717429dd8db3e48e

                                    SHA256

                                    20e0646e6d44230c403c536a4892deaa3d9eb96dcff4790f593e8128d9eb28c7

                                    SHA512

                                    4233e6e87c8db22f20ba0467d648ec656cce133db21a04f176f05a2687d86eb6ff0e67157f28996e68f0cd77175466f96620038a3ba824a45fe1dd98593b6bc9

                                  • C:\Users\Admin\Downloads\fontdrvhost.exe

                                    Filesize

                                    1.2MB

                                    MD5

                                    d651fb397c8332af137e3a5e7b1f38da

                                    SHA1

                                    47cfdafaeaf943bfd663296628fc1b6d619f09e6

                                    SHA256

                                    d8ca8414c41646b8a3a4d4469fe67fd7efa5bda3b1a69f84c4e402026ca3ff89

                                    SHA512

                                    85406d83d3778ad4effdee1b49bf9fe512caf82f547c3f2ef03c89ea7ad824b12bfd676934295d379dbdd310c31a220aee7e1ffc3da504b469175fc683dafa0a

                                  • C:\Windows\CbsTemp\explorer.exe

                                    Filesize

                                    1.2MB

                                    MD5

                                    7b05cf7f9e8162f55d50f10f711df29a

                                    SHA1

                                    6c077351d11f6069067d69b6ece6d0989e972c99

                                    SHA256

                                    7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

                                    SHA512

                                    275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

                                  • memory/4392-7-0x00000000024A0000-0x00000000024B6000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/4392-12-0x000000001AF30000-0x000000001AF38000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4392-17-0x000000001AF80000-0x000000001AF8E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/4392-20-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/4392-19-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4392-21-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4392-16-0x000000001AF70000-0x000000001AF7A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/4392-15-0x000000001AF60000-0x000000001AF68000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4392-162-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/4392-11-0x000000001AF20000-0x000000001AF2C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4392-14-0x000000001AF50000-0x000000001AF5C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4392-18-0x000000001AF90000-0x000000001AF9C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4392-13-0x000000001AF40000-0x000000001AF4C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4392-10-0x0000000002530000-0x000000000253C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/4392-0-0x00007FF8EDF53000-0x00007FF8EDF55000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/4392-9-0x00000000024D0000-0x00000000024DA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/4392-8-0x00000000024C0000-0x00000000024C8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4392-4-0x00000000024E0000-0x0000000002530000-memory.dmp

                                    Filesize

                                    320KB

                                  • memory/4392-5-0x0000000002320000-0x0000000002328000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4392-6-0x0000000002490000-0x00000000024A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/4392-3-0x0000000000A00000-0x0000000000A1C000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/4392-2-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/4392-1-0x0000000000100000-0x000000000023A000-memory.dmp

                                    Filesize

                                    1.2MB