Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 05:23

General

  • Target

    fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

  • Size

    3.2MB

  • MD5

    438789fc2753a3a41d1704542bf93769

  • SHA1

    81a6c969c14fc47a15d2574cfb63dee2cbcbf12c

  • SHA256

    fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2

  • SHA512

    c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c

  • SSDEEP

    98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 27 IoCs
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 18 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
    "C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1288
        • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
          "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1744
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba87ecb-5940-4e8e-99b5-c28594552428.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
              "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1368
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ff88d6-4078-428f-820d-d181dc812c8b.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1640
                • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                  "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2944
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34eee8e-524c-4087-a91e-d65ccab7e45a.vbs"
                    8⤵
                      PID:2376
                      • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2948
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc084c79-a470-4d86-930c-d700d3640fdf.vbs"
                          10⤵
                            PID:2076
                            • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                              "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1484
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ce29fa-6efb-4e8a-a27e-88125fae8067.vbs"
                                12⤵
                                  PID:2628
                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:3012
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e469dcc1-53c4-4778-9dbb-78fc602cc11e.vbs"
                                      14⤵
                                        PID:2652
                                        • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                                          "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2912
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cd5ec01-4606-41ef-9bc8-2f0fc4de7219.vbs"
                                            16⤵
                                              PID:1252
                                              • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                                                "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:804
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c417b61-62ba-4d00-878d-f6c7f03d2c67.vbs"
                                                  18⤵
                                                    PID:1908
                                                    • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
                                                      "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"
                                                      19⤵
                                                        PID:2536
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375815db-b0f5-4f6e-a3db-62422041f877.vbs"
                                                          20⤵
                                                            PID:2764
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9228f5ee-a058-463b-8c2c-682d53753662.vbs"
                                                            20⤵
                                                              PID:2392
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56f45f54-f828-4fbd-840a-ec174146d5bd.vbs"
                                                          18⤵
                                                            PID:456
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7796154a-93df-48a5-90d2-035d9d1fd528.vbs"
                                                        16⤵
                                                          PID:1912
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f60a501-32b9-480d-ba19-0600d2faf1d3.vbs"
                                                      14⤵
                                                        PID:1936
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32820891-7f20-4536-a645-0b24fa57176c.vbs"
                                                    12⤵
                                                      PID:1720
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5da4343-89e7-4ce4-8f8b-0ff6ad17c0dc.vbs"
                                                  10⤵
                                                    PID:3036
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b912e0d1-476a-4d1e-9a76-23175d7b3fb4.vbs"
                                                8⤵
                                                  PID:2056
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9a63528-aa9c-4210-a140-02570c0c228a.vbs"
                                              6⤵
                                                PID:796
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f2a627-7cef-471d-b9ba-76ada4004ead.vbs"
                                            4⤵
                                              PID:1076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2384
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2528
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2476
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2404
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2164
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2412
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:776
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1440
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1672
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1272
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1632
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2616
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2464
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2760
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2276
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1936
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:540
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1932
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1216
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2148
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1388
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1356
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2248
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2228
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:568

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        438789fc2753a3a41d1704542bf93769

                                        SHA1

                                        81a6c969c14fc47a15d2574cfb63dee2cbcbf12c

                                        SHA256

                                        fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2

                                        SHA512

                                        c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c

                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        60e4f641688b2f4359d3fac826d1a199

                                        SHA1

                                        9bee2792188e7295cf751d97352f131248d4fe1e

                                        SHA256

                                        3b728f74657834fca6750373d3b7c656f579c8dfccd4723e701d2d8ab64cdf6d

                                        SHA512

                                        84206d85790b8672df8e43d1cb31b613cb938dfd8c30046dea17c3b4dbcc4f215dffaeb376aaeae9604cd789fca43714ffccd1bb353323b8016f949c43d87041

                                      • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        749daae6606bc774af81edcff23d833b

                                        SHA1

                                        8ff78bb25516f657866a0165ba7f6f628c995485

                                        SHA256

                                        5bd6a0f6e337a46d1a630e1b80fc35f94e448dc7809cfd0ea906dcd1adf045d6

                                        SHA512

                                        704e05c520803712ef19da7af200b375bd4b991e9ef7aa8a898aa9832ccebf196f468487321ac1037a0bd65e958ddec0815907454fc9a9218914e37380dc6af7

                                      • C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        919c134f4a1609c03d12346bafd0c477

                                        SHA1

                                        0492532a5e7b2aaf43b8ee90d322a0837f070a65

                                        SHA256

                                        8afb1a06f73741269d3a7503b4dc9457761b87f984662643beec753f48e851a7

                                        SHA512

                                        ba892d002686265dd59374f3c07602c5ba64e2fff119b72ce9ec72298807db1cd684f31cf928d0f92e091db8daf243d327fc20ac312452c184fb2b0a2910e37c

                                      • C:\Program Files\Windows Portable Devices\audiodg.exe

                                        Filesize

                                        3.2MB

                                        MD5

                                        71426b5d75999b9cf0e9c103197c08c9

                                        SHA1

                                        319845464554dfd87365487f54b6bb8500edc4b6

                                        SHA256

                                        169155d69cc77f53659647c1081ecc5a2cc88e9953f81e060f95bf6d73f3e8d2

                                        SHA512

                                        2ce7d09b2004227e839ab70c5fa961c7cf634929fc98c03d106f668e24e46d1b6f32b6913b7a4af72658309ae4dcb5e2a7d1451473eeabba37ef877f203b5418

                                      • C:\Users\Admin\AppData\Local\Temp\1c417b61-62ba-4d00-878d-f6c7f03d2c67.vbs

                                        Filesize

                                        755B

                                        MD5

                                        f2dfbea51ed6b3095e63a93b63c1177a

                                        SHA1

                                        cd3ba5650272afee57c65c6a34c101eb3cbfc4d2

                                        SHA256

                                        8b12ebd3d9e2538c6981e34dab3672d0d9e896ee1f64a3a453bb51633ce98dfb

                                        SHA512

                                        f5b58211b8714d2d9d7d7ad981b364990c116e239903612dd2c06d12eecf7be2f7238fca4efb766e3fbeb37bcf6f6c951d978703ad6962d2ce3e00a27fdbfa1d

                                      • C:\Users\Admin\AppData\Local\Temp\2cd5ec01-4606-41ef-9bc8-2f0fc4de7219.vbs

                                        Filesize

                                        756B

                                        MD5

                                        7ac4f0fe7b64c0f85c8ab335ec7ff105

                                        SHA1

                                        7360f81176c38ab2df7100f458a0cb949cb83cfb

                                        SHA256

                                        b77c6967198fd38b3120f812d9772d2b866961d11a5a86b156e6d26cf2df7cc6

                                        SHA512

                                        369d5e4baada2e36a75fbb62a39b7ab5302eb879e7ee9907458b34c7dfb480486c1f0117a0be2e9ace680f04e1c7a484bce85dd1d592ae4a572a8326dc1e22bf

                                      • C:\Users\Admin\AppData\Local\Temp\35ce29fa-6efb-4e8a-a27e-88125fae8067.vbs

                                        Filesize

                                        756B

                                        MD5

                                        6ab9904c4d9fd634d5a056d4916efb96

                                        SHA1

                                        9f0b254940aa44674e15b0f69e01bbc0bab44d08

                                        SHA256

                                        7550b8db0d3e18fe1c911019eb96131f97733f2874b0e8641d04a5817bec0a2f

                                        SHA512

                                        d0a7341b425e776e05d6ce4a58e76943aad7a9319c65911058b03408f81efa34b998731b88292b16f671a4018dce613be0dd0f690300d4d6635cbfb9e2fb7354

                                      • C:\Users\Admin\AppData\Local\Temp\375815db-b0f5-4f6e-a3db-62422041f877.vbs

                                        Filesize

                                        756B

                                        MD5

                                        0c88e1125e2e075cffd6a30744b1698c

                                        SHA1

                                        af466f851db31ffcf8857db943e80fa45f0ba4bc

                                        SHA256

                                        fc142352c5366c0a4ea12449c0d55a932556fe188df35bce98295254db59e198

                                        SHA512

                                        5522f1005bab30082f0800784962b289680d521d080f6226ee0a7b7e79da9b0426eef1322bdcebda8e7825528e4335af64ef94c97a52ba879f83205de428337b

                                      • C:\Users\Admin\AppData\Local\Temp\38f2a627-7cef-471d-b9ba-76ada4004ead.vbs

                                        Filesize

                                        532B

                                        MD5

                                        10303bc69fa8240d20cf5411ed9f08d2

                                        SHA1

                                        f9ce752d2017e8ea9b4c2ffaf7b52e6deb8dcbb9

                                        SHA256

                                        6e21f2ccae98936d1bfaaf865f5b222a32f3ed364a48229d985245bee85afee9

                                        SHA512

                                        c7375740505967e759231bec896e8327c4763d80cfd87eb374f1e0b1ecb6148f36aba687a957a7eaf783ce5cdca276e68ad06604bd5bc47dc4f0550b969d5eda

                                      • C:\Users\Admin\AppData\Local\Temp\7ba87ecb-5940-4e8e-99b5-c28594552428.vbs

                                        Filesize

                                        756B

                                        MD5

                                        00d4d9e1de1097dfabff299dfc0e3629

                                        SHA1

                                        ab218433e1eafa3d6e68fceed5ec83f18d604cb4

                                        SHA256

                                        812a358fa3397570aec1f135edff46404579e56edfdd155d6b04717827f405da

                                        SHA512

                                        d95bc8931aeb7fc2727ce1417b91eff92ab7713f6a61a9b8e5e6ba283c22db5c3452a422f0902fdc743f9289cb489f346e19fb9546f8673d01758be76d48f105

                                      • C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat

                                        Filesize

                                        245B

                                        MD5

                                        c1a19ccf2aa8d88f6f365cfd2547f516

                                        SHA1

                                        74713e9d55b05b1b2c61d5474c213ee7646d254f

                                        SHA256

                                        1ff928749c2a6499bb57f96e0164ffb8be19cb00653dca7cc9b6bac0dc0fbf21

                                        SHA512

                                        5d4f3ff110f442910382e00c783b3c7958e8493677b9144467fce0c6dd4bb731c71ab7f127a2aeab784c7d5571457ad68827f1d1d306a13452bdcd81c201a656

                                      • C:\Users\Admin\AppData\Local\Temp\ca1033d37860b7102ff60b8f8b730d81674a1cfb.exe

                                        Filesize

                                        467KB

                                        MD5

                                        7300e57d231fce9f16f15085540f8246

                                        SHA1

                                        37c8b4127eac2c7f744d016d1376cda68e4aad5b

                                        SHA256

                                        0cd54d02aa25982056b8a47df0fdc1af8904f1060bd7aeb922c8b83be1b54fe2

                                        SHA512

                                        dc050385d1aa8051f0da2976772a766caa6d4a77105e42bdf409f3a15d6c7e7366cd0aa537152b85e8a556e1bd4746e2700a6284aacd33a26bb58acfa9f697ef

                                      • C:\Users\Admin\AppData\Local\Temp\d34eee8e-524c-4087-a91e-d65ccab7e45a.vbs

                                        Filesize

                                        756B

                                        MD5

                                        7e3ddd3047c8b776e128e14beb7c46ed

                                        SHA1

                                        e47c0d9956f6beb72cbb8bef4c2c2015891ddbb1

                                        SHA256

                                        5f1e1f425d87bc945abbe9f4912fc2f6540d8952a4969b211b0f5bc5d3f14573

                                        SHA512

                                        1139ac45e1cf1e26733d8e1dbf52900b7461351afda27c5e38c7076a21e52a65b2e67918b3a8c84b0ff9a72e4b6ff970483ddef8e99785eb22a8be8bdd5a4057

                                      • C:\Users\Admin\AppData\Local\Temp\e469dcc1-53c4-4778-9dbb-78fc602cc11e.vbs

                                        Filesize

                                        756B

                                        MD5

                                        fdfbbf4d02a9b20da56338041af9571c

                                        SHA1

                                        7375fd808379b91c3e1a6cd83403101659f84e10

                                        SHA256

                                        91860b4f3a1046a68feb6bc9f474ea6a5097790e5f626392a8e0412ea60810b0

                                        SHA512

                                        98415bbdeb343cdb287bb08e0d458c681fe5b0a3bb5f26b03ba5aa7be0b195e160a1f50f5a5cfe07ac3141687e9f3ef30e904978a19ba84e3ef4d69b787b5dfa

                                      • C:\Users\Admin\AppData\Local\Temp\f9ff88d6-4078-428f-820d-d181dc812c8b.vbs

                                        Filesize

                                        756B

                                        MD5

                                        9d7fe2321ed6d6284dc0b9e038fa3aec

                                        SHA1

                                        f5dd74d9d5717324535d858dfd1275eceb26d7d1

                                        SHA256

                                        c1f1657f9bfd71022a44d2cbf9a817da933872e82ebfe04de0489e64332767ef

                                        SHA512

                                        4d32babdd81156949025df111049a744200a1b7c286690bcc1f75827c337d7cd81ce23f9123d7ff02ad62d0096e77c59e8762c9480765ad818c355c9efc1bef6

                                      • C:\Users\Admin\AppData\Local\Temp\fc084c79-a470-4d86-930c-d700d3640fdf.vbs

                                        Filesize

                                        756B

                                        MD5

                                        9a97b45e5fdb92ca10bccec669bb1b6a

                                        SHA1

                                        2f0e201465fe4d95b0678f229fb93fb22967d7b5

                                        SHA256

                                        8c303c0a32929cbd6be14474ca3a76afdba8e570d655eddcffcd1a9fafdfe10a

                                        SHA512

                                        6096a197ad4994a6f6b1fcfeff9193e7ff492b1d6a76c63c5208d518e5d7abe1027ffbacaa15f3453953bc3a7793455d697106fad3c7cce2522158f77010bc19

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        0f9e54f32bc40170c3f7b2d24e3cc207

                                        SHA1

                                        2b65591f3f1135405a3c64e8f429028895d9a113

                                        SHA256

                                        0dcdbbeba1690cbb792e1845c02a8de2c80b3fbd120a7944f72182a7bac39b6d

                                        SHA512

                                        6bf40f4106429e3a5b88da196266166557c3b0465be3550045ce6cbeb9bbad30578b28b96e4b929ace1314dff97d1ab22d9c7cce786422cbf02deddd486a9247

                                      • \??\PIPE\srvsvc

                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                      • memory/804-322-0x0000000001350000-0x000000000168C000-memory.dmp

                                        Filesize

                                        3.2MB

                                      • memory/1368-253-0x0000000001040000-0x000000000137C000-memory.dmp

                                        Filesize

                                        3.2MB

                                      • memory/1368-254-0x0000000001030000-0x0000000001042000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1744-242-0x0000000000150000-0x000000000048C000-memory.dmp

                                        Filesize

                                        3.2MB

                                      • memory/2488-206-0x0000000001F40000-0x0000000001F48000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2520-200-0x000000001B210000-0x000000001B4F2000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2648-15-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-208-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2648-28-0x000000001AF00000-0x000000001AF0C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-26-0x000000001AB10000-0x000000001AB18000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-29-0x000000001AF10000-0x000000001AF18000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-30-0x000000001AF20000-0x000000001AF2A000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2648-31-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2648-32-0x000000001B130000-0x000000001B13C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-25-0x000000001AB00000-0x000000001AB0E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2648-24-0x000000001AAF0000-0x000000001AAFA000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2648-23-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-22-0x000000001AAD0000-0x000000001AADC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-21-0x000000001AAC0000-0x000000001AACC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-20-0x000000001AAB0000-0x000000001AABC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-19-0x000000001AAA0000-0x000000001AAAC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-18-0x000000001AA70000-0x000000001AA82000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2648-17-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-27-0x000000001AB20000-0x000000001AB2E000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2648-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2648-14-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2648-13-0x0000000000D70000-0x0000000000DC6000-memory.dmp

                                        Filesize

                                        344KB

                                      • memory/2648-12-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/2648-11-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/2648-10-0x0000000000560000-0x0000000000568000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-1-0x0000000000ED0000-0x000000000120C000-memory.dmp

                                        Filesize

                                        3.2MB

                                      • memory/2648-9-0x0000000000540000-0x0000000000556000-memory.dmp

                                        Filesize

                                        88KB

                                      • memory/2648-8-0x0000000000530000-0x0000000000540000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/2648-7-0x0000000000400000-0x0000000000408000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-6-0x0000000000510000-0x000000000052C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2648-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2648-4-0x00000000003E0000-0x00000000003EE000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2648-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

                                        Filesize

                                        56KB

                                      • memory/2648-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

                                        Filesize

                                        9.9MB

                                      • memory/2944-266-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

                                        Filesize

                                        72KB