Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 18:41

General

  • Target

    RustUpdater.exe

  • Size

    2.3MB

  • MD5

    50d955b49b2a8878cdd683365c83e183

  • SHA1

    9ce5bc5c6d2d71eacdd88fbdd478dd241bb96244

  • SHA256

    528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78

  • SHA512

    6ddb253922211164c8a236e733fa80c596fc68e6a9b3cc79f4d0e60fc7b7c01978633dd84151ca85773a0c906d8e288a34ba5d017fef4e50b094a9d808033fb2

  • SSDEEP

    49152:HYcIk1q0oClfViBnxZgY4PVOZovFNf5qcusO4Dmu657stUQ+h:HY1k1boAfVizZLoRvgcgQmubkh

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
          "C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
          • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
            "C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f56115f-ce3a-49cf-96d4-9426d4747b4d.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1128
              • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                7⤵
                • Executes dropped EXE
                PID:3012
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2272794-943d-4c7a-83dc-6444fe2ad2c5.vbs"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2784
                  • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                    C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2236
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f8fd66b-2d9d-4903-a017-ad07949edca8.vbs"
                      10⤵
                        PID:2380
                        • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                          C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                          11⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1448
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91dab18d-5f61-4f74-b29d-ec1aaaba0669.vbs"
                            12⤵
                              PID:1308
                              • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                13⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2576
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c12ceac-15b7-486c-8413-b4c83a9f62d3.vbs"
                                  14⤵
                                    PID:936
                                    • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                      C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                      15⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:580
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d44d7382-56d4-417b-bdb7-bc6953367a24.vbs"
                                        16⤵
                                          PID:1380
                                          • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                            C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                            17⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2972
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b3d5d39-1590-4997-b779-71857d6230ec.vbs"
                                              18⤵
                                                PID:1372
                                                • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                                  C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                                  19⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1780
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0719aa-1de7-45f8-9711-78d60cff2e8d.vbs"
                                                    20⤵
                                                      PID:2960
                                                      • C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                                        C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
                                                        21⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2928
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\674d2b82-bb28-48a1-9828-ad3ef457ba31.vbs"
                                                          22⤵
                                                            PID:2552
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbf51341-2ddc-48f5-88cf-940b30e4dbc2.vbs"
                                                            22⤵
                                                              PID:320
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1146f048-5f6f-49e0-a8db-71131ae7e874.vbs"
                                                          20⤵
                                                            PID:768
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be350d3f-f96c-409a-ab9f-c44436e1ec9d.vbs"
                                                        18⤵
                                                          PID:2964
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a1f0fe6-9609-4a0a-abde-ccf405df4d4d.vbs"
                                                      16⤵
                                                        PID:560
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a09c97be-d4e8-4e99-8092-826d407dbeaa.vbs"
                                                    14⤵
                                                      PID:2808
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec9501b-fa7e-4b95-8345-f47d1b7926fe.vbs"
                                                  12⤵
                                                    PID:2200
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb04e69-6569-494c-84fb-04c8ec21d6f2.vbs"
                                                10⤵
                                                  PID:2220
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a7ae00-5997-4939-8367-a728442dbde3.vbs"
                                              8⤵
                                                PID:1952
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bce03413-b6dd-4ae3-9a6c-69b16ec75c78.vbs"
                                            6⤵
                                              PID:1020
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3000
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2976
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2988
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1912
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:560
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1140
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1460
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1840
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2040
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2056
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1440
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1640
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:524
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1888
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2844
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2080
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2368
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2272
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2624
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2028
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:320
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:592

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\2c0719aa-1de7-45f8-9711-78d60cff2e8d.vbs

                                    Filesize

                                    737B

                                    MD5

                                    47cf841788510b1f8ed743b5f8e5ab48

                                    SHA1

                                    6b8533afb27d9540e4cd6d101f2246a453c07dad

                                    SHA256

                                    97e3b0c2033a03ca223cd798cc5b71ba4e878de737ad4f8d29e1f98c0858cf4d

                                    SHA512

                                    0db850e3c6736dea0c6fd315928b8705e1a85030e1c95cd6afff6a710d582da5b3bdddfed4775f9715d3219d2c0ad282a36d9aac972b75c589ac33b927a8d266

                                  • C:\Users\Admin\AppData\Local\Temp\2c12ceac-15b7-486c-8413-b4c83a9f62d3.vbs

                                    Filesize

                                    737B

                                    MD5

                                    de691c8b44752ce738aeeedebbaa260e

                                    SHA1

                                    9579da9ae1814d64f9043fd8fcd51321615372fd

                                    SHA256

                                    883a7214ef6bcc1627cc88a01d606d6695c1e0af957c4d85fa341ffdc7bc2957

                                    SHA512

                                    2201abd28c099780067a622ddd3f7c794a898f0a163730a5cdd41e571f6688bfd4af67ce725538a431589141e9235efd263e30cf5ed0689f4f92a60aca25704d

                                  • C:\Users\Admin\AppData\Local\Temp\3f56115f-ce3a-49cf-96d4-9426d4747b4d.vbs

                                    Filesize

                                    737B

                                    MD5

                                    fc61d564f4b377c91e97f1bc6b53aaf5

                                    SHA1

                                    dc02b1691cebf73b55e284bf9691a7b877598c43

                                    SHA256

                                    74128f19c5d027ca0c29601345bc605c59373128e54fa7f00a022382a4a49b17

                                    SHA512

                                    f8f96600c9f4dd90ecbdc29cd7d3095ce2a34df40517cef9bf846cad1a19d8f61fe9cd36e56d5f0885e3381f01fc74fe626d63232e3b0b4b978e765ad35d49ae

                                  • C:\Users\Admin\AppData\Local\Temp\674d2b82-bb28-48a1-9828-ad3ef457ba31.vbs

                                    Filesize

                                    737B

                                    MD5

                                    c96473a2ea30cba35f095c63fc1d1334

                                    SHA1

                                    590a00c9d74f8a1303cb9273f613a1a11385acc0

                                    SHA256

                                    1e5ae4e3c23396abf96766f577442237f599fb77618a7870b2e978809eda2e71

                                    SHA512

                                    34d667fa3fa13bfc0fe335d9b35b4efc6b90ab73761d48acc42880f07e7013a126d2627af93147302079ad5d517abdc2386ca61340cd0f4ec1e1eb8f562f9c32

                                  • C:\Users\Admin\AppData\Local\Temp\8b3d5d39-1590-4997-b779-71857d6230ec.vbs

                                    Filesize

                                    737B

                                    MD5

                                    e6dcc86cc0253ef69ffed2ef374c2e7c

                                    SHA1

                                    579905f2271139d74a7fb78a6a7dbdbb78842f35

                                    SHA256

                                    903aabab0a6c3f8bfd274e55ddbf61b8006685f454faaefc17377c603331d7df

                                    SHA512

                                    7dc607088fb7d051848618527df2335667da5586def92d3175097305fc0b519be658999adf7896e86b0877fb452598e11e6a292d4c924a9793f115f9067245d4

                                  • C:\Users\Admin\AppData\Local\Temp\8f8fd66b-2d9d-4903-a017-ad07949edca8.vbs

                                    Filesize

                                    737B

                                    MD5

                                    c0c93a87229dc495b8934d866b9eda58

                                    SHA1

                                    4c02bcfe02973b876e80fe28728be0885babcd61

                                    SHA256

                                    4fa9d4fbefcbacc9022861a0a6ec669ec1a43a7184cc358692fb49c1575ff7ed

                                    SHA512

                                    706d6a6c621cee732becf76e15afd3081ab8d09bebdf6429e24296241fd840267da9c4efef7c40b007c270de914d8ffe435d13084aa2e91ac4f59e8d0cf54054

                                  • C:\Users\Admin\AppData\Local\Temp\91dab18d-5f61-4f74-b29d-ec1aaaba0669.vbs

                                    Filesize

                                    737B

                                    MD5

                                    c9feda25bc37c97ad5fa8ed0950354ad

                                    SHA1

                                    80be72d6ece74c4098b2d182d0da24a83b81eef7

                                    SHA256

                                    e80115a4dbeccc533a20e1acd0cc8358cacce35308c458f813ed86a1d8464b02

                                    SHA512

                                    96c4c0c4897ef6a104e8af325281b658fd6f1388dd35a5fdecef9319964d727582153199e459f736392664cdee8378f22a9e8e937ee7d2b7adc3f062bed60489

                                  • C:\Users\Admin\AppData\Local\Temp\bce03413-b6dd-4ae3-9a6c-69b16ec75c78.vbs

                                    Filesize

                                    513B

                                    MD5

                                    005d2b2b236c5cc4c1cbe808da565f60

                                    SHA1

                                    b0d99c72d1d7c6385d9670abc005f9c84e4485d3

                                    SHA256

                                    13c0ec6dd8ab27216a078bcf2c8c618315e52058ab55fe4783e367602a7fa8b7

                                    SHA512

                                    46cdf35f8d8d05b4ecabf0de5a55446047269648b6fbc16b8ea46a1ccc07ba1df88ff2f512342668eb47564570f70de7c13b6d90b6e0feeb6a8b3f0b9f9e3225

                                  • C:\Users\Admin\AppData\Local\Temp\d44d7382-56d4-417b-bdb7-bc6953367a24.vbs

                                    Filesize

                                    736B

                                    MD5

                                    7e9c6a7326f699fd671e274d56209b8d

                                    SHA1

                                    5071f0c88ec24fd80871b8e26d2295bffc3f10c7

                                    SHA256

                                    0fa5981bf91e15eca9dfa8346ef3a80751c09f309dadf691cb63ce9484eef681

                                    SHA512

                                    7a8eb5bb282afdaf19c9c2574eb135de123ec8e33d4d2f53016c75b3e24a2ce57cfb76d453f056c3427d97ff8c365b91e4244d0a89c3ca86dcef0439eb59a04d

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                    Filesize

                                    7KB

                                    MD5

                                    793dfb09b26e41d5bee79e137e250e17

                                    SHA1

                                    f4bda56f65601e2ecdfc3af1df6ce0c8da25c9e2

                                    SHA256

                                    c65d94b081f07e67af3780f2b0d77f9de809d65f084826238444069c13c804a4

                                    SHA512

                                    8a182a8dfa794f4da6cec4758254f8b16ff6902461f40005a6d3813eb370aab0ca16240b7b3c24f3fa7b9ce17c7943adbd7750b34acd9b2db0bcaed929f7c949

                                  • C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat

                                    Filesize

                                    48B

                                    MD5

                                    8f2fe00117d8cf1e8f32eb7bf7c5ab82

                                    SHA1

                                    952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9

                                    SHA256

                                    02e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba

                                    SHA512

                                    6fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077

                                  • C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    50c3534dacb3359079f8fca6b702e98e

                                    SHA1

                                    85cd176c6f7c97017547aaf9b1133ca3d1fb1885

                                    SHA256

                                    867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de

                                    SHA512

                                    a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750

                                  • C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe

                                    Filesize

                                    222B

                                    MD5

                                    4dad95df8fa0e085b45537e5be8778f6

                                    SHA1

                                    044c0c326db9f180d8c79f7fd7719fac3abc69d3

                                    SHA256

                                    b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b

                                    SHA512

                                    4a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376

                                  • memory/1448-120-0x0000000000160000-0x000000000026A000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/1728-44-0x0000000000FE0000-0x00000000010EA000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/1764-70-0x000000001B280000-0x000000001B562000-memory.dmp

                                    Filesize

                                    2.9MB

                                  • memory/2120-0-0x0000000000390000-0x0000000000776000-memory.dmp

                                    Filesize

                                    3.9MB

                                  • memory/2120-8-0x0000000000390000-0x0000000000776000-memory.dmp

                                    Filesize

                                    3.9MB

                                  • memory/2224-17-0x00000000005D0000-0x00000000005DC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2224-21-0x0000000000690000-0x000000000069C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2224-20-0x0000000000680000-0x0000000000688000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2224-19-0x00000000005F0000-0x00000000005FA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2224-18-0x00000000005E0000-0x00000000005EC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2224-16-0x00000000005C0000-0x00000000005C8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2224-15-0x0000000000950000-0x0000000000A5A000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/2236-108-0x00000000010D0000-0x00000000011DA000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/2288-71-0x0000000002300000-0x0000000002308000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2576-132-0x0000000001080000-0x000000000118A000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/2972-155-0x00000000013B0000-0x00000000014BA000-memory.dmp

                                    Filesize

                                    1.0MB