Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 04:52

General

  • Target

    e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe

  • Size

    959KB

  • MD5

    4d580c12dd002c7e9d0672cf7c0fef59

  • SHA1

    b46c4eaeea368c01f3b6e89a7749dcb9719fcf11

  • SHA256

    e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc

  • SHA512

    6a517c05bf3b3df6d66fbe026044456bc5ec9f643757a53705a869588c505fbb837fc763134b71bea390ca8f01f8b5fdda391ed5eb07829dcd8249027a6f99f0

  • SSDEEP

    24576:7IY/8GC9t2/zdHKXMXvE/s5ZVKBdd0aZ7+B:7IQRllfE/oYh+B

Score
10/10

Malware Config

Signatures

  • DcRat 63 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables containing URLs to raw contents of a Github gist 2 IoCs
  • Detects executables packed with SmartAssembly 1 IoCs
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe
    "C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1428
        3⤵
        • Program crash
        PID:4272
    • C:\Users\Admin\AppData\Local\Temp\trx.exe
      "C:\Users\Admin\AppData\Local\Temp\trx.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\MSCONFIG\CONFIG.exe
            "C:\MSCONFIG\CONFIG.exe"
            5⤵
            • DcRat
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:696
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2784
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1748
                • C:\MSCONFIG\CONFIG.exe
                  "C:\MSCONFIG\CONFIG.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4380
                  • C:\Recovery\WindowsRE\conhost.exe
                    "C:\Recovery\WindowsRE\conhost.exe"
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3832
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3944
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        10⤵
                          PID:2180
                        • C:\Recovery\WindowsRE\conhost.exe
                          "C:\Recovery\WindowsRE\conhost.exe"
                          10⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4344
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
                            11⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5100
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              12⤵
                                PID:1300
                              • C:\Recovery\WindowsRE\conhost.exe
                                "C:\Recovery\WindowsRE\conhost.exe"
                                12⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:1312
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
                                  13⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2948
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    14⤵
                                      PID:1080
                                    • C:\Recovery\WindowsRE\conhost.exe
                                      "C:\Recovery\WindowsRE\conhost.exe"
                                      14⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:1672
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
                                        15⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3852
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          16⤵
                                            PID:4400
                                          • C:\Recovery\WindowsRE\conhost.exe
                                            "C:\Recovery\WindowsRE\conhost.exe"
                                            16⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:3384
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
                                              17⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:1448
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                18⤵
                                                  PID:3284
                                                • C:\Recovery\WindowsRE\conhost.exe
                                                  "C:\Recovery\WindowsRE\conhost.exe"
                                                  18⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2248
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
                                                    19⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4952
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      20⤵
                                                        PID:1652
                                                      • C:\Recovery\WindowsRE\conhost.exe
                                                        "C:\Recovery\WindowsRE\conhost.exe"
                                                        20⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4784
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3068
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4852
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2188
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:948
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2944
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4272
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5064
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3736
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4292
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4936
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3604
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4056
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\MSCONFIG\taskhostw.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3596
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1256
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4144
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4212
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:872
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1568
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1796
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3180
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:456
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2704
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2616
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4424
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3028
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1624
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1028
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:916
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:976
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1464
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4772
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2388
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:752
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1100
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2184
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4560
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2088
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4520
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4516
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4992
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1312
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3628
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4088
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:380
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3252
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\System.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4040
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3552
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3624
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3568
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5096
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1364
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dwm.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1348
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:888
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2232
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:748
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1168
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:516
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4652 -ip 4652
                  1⤵
                    PID:404

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\MSCONFIG\0h6cj87wvPM.vbe
                    Filesize

                    208B

                    MD5

                    c82cc3c85bd84d0af9e997e0a4959cdd

                    SHA1

                    8ff246be20905b44b77082729819917245547013

                    SHA256

                    53db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d

                    SHA512

                    09c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9

                  • C:\MSCONFIG\CONFIG.exe
                    Filesize

                    1.1MB

                    MD5

                    5e14719cd7fbb360095ace17828a75b3

                    SHA1

                    72cd087ba89bef7546a5657b352b61f2ea31f492

                    SHA256

                    095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561

                    SHA512

                    20bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27

                  • C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat
                    Filesize

                    24B

                    MD5

                    8ec84d1942903da3492f14e534a8e841

                    SHA1

                    b152ff7373eac0aaef9c17637bde6cc754fe257a

                    SHA256

                    a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d

                    SHA512

                    bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CONFIG.exe.log
                    Filesize

                    1KB

                    MD5

                    3dabc3a15559ada6586962e5d966af35

                    SHA1

                    b9e7ebe34532596154354f7130acafe8654016ef

                    SHA256

                    43f6fa295df0ae3976c919bdd314b17768768b6eb14514b2b3a3fe8e7e477c5b

                    SHA512

                    e828eb2af6cb4551e3174cfe8fbcd3c7923ad71c8d6dbf33432223bb230561f8145fc894f457f6660266c2658166fca486c557337f1bafc1b9973d19959fa348

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
                    Filesize

                    1KB

                    MD5

                    45b7b984ff65c4ed6e0e1eec9a7e1dbb

                    SHA1

                    319c613685ba61edb0956fcb3301e659572e6255

                    SHA256

                    5779e6406a1a1a3938bcc0dcc2eecbdea9a23ae203d9d9dc678b056315139b69

                    SHA512

                    c8733ff26e452805c7791b1cd9a17913dafaf55567a6d8dea4bdd675aae5077d857b546878ab605101a2320e53621b9e07d2b0a51942ef14839891f2be581049

                  • C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat
                    Filesize

                    198B

                    MD5

                    cf9cac864fe027e2390dc92c7e8bc1aa

                    SHA1

                    e921abfc1c577037bdf8bb329b7eb90076c9c786

                    SHA256

                    40a126dc0c1b85938738a36a0d5b64413b287b51ebeb372a812b5b733db31281

                    SHA512

                    0a2f7f082d5b9db65744ed57a6f81f771bbb66abf4a123cfe893bee86a5c03519d2903bdd24a18d5c9c613f519ee30167f52daafd43e33400456c68c35ee4a05

                  • C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat
                    Filesize

                    198B

                    MD5

                    703ca2a879f3908c96a2b6cd8f83997d

                    SHA1

                    a69d052783f29f8b3e14434649f84b89c3086f1a

                    SHA256

                    030eaea140b2c52ec25afb033cfb3b7c7dd284d643c571332236193dac59ba88

                    SHA512

                    54cf6bd22ef84e16e15ee743a8cc906e49308a4b1dc37468223f4ebf7b32674f40ca66d15b9a71923fcc2518c99c6ca619019b271c7bda58b76e98dcfd1f2e6a

                  • C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat
                    Filesize

                    198B

                    MD5

                    1c38052fa1d92ac87d9f1cbdd4554fb4

                    SHA1

                    7eaf591d94cf7401dbbcc26934f0c8810feda7c7

                    SHA256

                    06796c05a45c31d0e3204ddfe60d42a5b8e6504139ec54f55830aef446575d1d

                    SHA512

                    5372e780d0e5a63d17df46e700638af4f0975863f12773f48e6aa2717bf710938b6680f65b06cd80568302a0d829c3f09f08c8557ad6171ede4eb619b324d52c

                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                    Filesize

                    12KB

                    MD5

                    74494703e5f44eeb9aa037f0f50bf682

                    SHA1

                    fcfd8813e63cd61c5bfd2db605827fb9070fe8e9

                    SHA256

                    3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66

                    SHA512

                    dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe

                  • C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat
                    Filesize

                    198B

                    MD5

                    033309c9fb0cb952e7e940828ab531f5

                    SHA1

                    abb4358ba92106e641671c611153f3a3e944b458

                    SHA256

                    6055914d2abbbce08f212f53dba273753e8eb5831912a1c26855e868a771cb66

                    SHA512

                    3b97ef986596f4139215da7eca5cdf55f15d2e7b54afe2f36aed2382ce9f81f96bc3ee49738ccb9334f796b86ec5b918065ac806860f5c380e5fbd603d94b4e6

                  • C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat
                    Filesize

                    198B

                    MD5

                    88a2763bba4bd031f7db3857d0f3c78f

                    SHA1

                    b54a5b883970e5dc493e87e58ed094fa3462744f

                    SHA256

                    f8c9f64cad1ef11c48d0c19b0c75f5289b8286dcf4bd4d892a7adc478f016750

                    SHA512

                    14bb52f3f25619e65bece77cb0f14a63aa2a560f536e8b302ef6051eda747769a58f42be7c72b4431297fe7a30e6e6aca13c55c2dccecdf8021e55f6dcfabb7f

                  • C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat
                    Filesize

                    187B

                    MD5

                    76a5acdd11c8445c4fb43b8ab007d86f

                    SHA1

                    0b9d3d98c7132186ea2142410b8bafed012ed65d

                    SHA256

                    5945ef32e06ce1d72e1290ffcaacd86ec45f4486554d4ea8d7efdcb3e1e0b8ff

                    SHA512

                    c95b0ae33c220e24b8e97971b226addb4c5a7a988a6bafd4bca63ee14b3fc3ee2b460d7ea4a7238e6739cde61810817c07c67c53bde59d2cedad08a30a0ccfb1

                  • C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat
                    Filesize

                    198B

                    MD5

                    cf6800bfb1c35205a8bc71d9d9bfa190

                    SHA1

                    22d56dd84ec4416c0461abb665d691d4510a53e5

                    SHA256

                    ab63bd127bf496cbd967233a1bfd2cc3d516d99853567b069ded9becc8efe77d

                    SHA512

                    e183da86e5ace5f29183a7d67dd2b35021c0ed8f691f68dfd8229333954077125f8397890e8aeaa782371efd5bd7c2043a17e15cfc8cee577d682551aad3a58f

                  • C:\Users\Admin\AppData\Local\Temp\trx.exe
                    Filesize

                    1.5MB

                    MD5

                    03cde07f808c1c15f2b413e89a45b9d8

                    SHA1

                    2e4f97f7f28024db39758472d484484dc3030c0b

                    SHA256

                    daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f

                    SHA512

                    d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18

                  • memory/696-43-0x000000001B190000-0x000000001B1A2000-memory.dmp
                    Filesize

                    72KB

                  • memory/696-44-0x000000001C040000-0x000000001C568000-memory.dmp
                    Filesize

                    5.2MB

                  • memory/696-46-0x000000001B1D0000-0x000000001B1DC000-memory.dmp
                    Filesize

                    48KB

                  • memory/696-45-0x000000001B1C0000-0x000000001B1CC000-memory.dmp
                    Filesize

                    48KB

                  • memory/696-41-0x000000001B180000-0x000000001B18C000-memory.dmp
                    Filesize

                    48KB

                  • memory/696-40-0x0000000000E30000-0x0000000000E42000-memory.dmp
                    Filesize

                    72KB

                  • memory/696-42-0x0000000000E40000-0x0000000000E48000-memory.dmp
                    Filesize

                    32KB

                  • memory/696-39-0x0000000000540000-0x000000000066E000-memory.dmp
                    Filesize

                    1.2MB

                  • memory/1416-21-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
                    Filesize

                    10.8MB

                  • memory/1416-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp
                    Filesize

                    8KB

                  • memory/1416-1-0x0000000000EE0000-0x0000000000FD4000-memory.dmp
                    Filesize

                    976KB

                  • memory/1416-16-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
                    Filesize

                    10.8MB

                  • memory/3384-131-0x0000000002DE0000-0x0000000002DF2000-memory.dmp
                    Filesize

                    72KB

                  • memory/4380-76-0x0000000002660000-0x0000000002672000-memory.dmp
                    Filesize

                    72KB

                  • memory/4380-75-0x00000000025D0000-0x00000000025E2000-memory.dmp
                    Filesize

                    72KB

                  • memory/4652-24-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
                    Filesize

                    4KB

                  • memory/4652-25-0x0000000000FA0000-0x0000000000FAA000-memory.dmp
                    Filesize

                    40KB

                  • memory/4652-26-0x0000000003320000-0x000000000332A000-memory.dmp
                    Filesize

                    40KB