Overview

overview

10

Static

static

3

b967f67061...0N.exe

windows7-x64

10

b967f67061...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b967f67061d815f1fe82f510cdb90e30N.exe

  • Size

    4.9MB

  • MD5

    b967f67061d815f1fe82f510cdb90e30

  • SHA1

    20aea4fb66adec15d011575fea8804d7e28d3db3

  • SHA256

    2305748d71cd65d0b89c97e0b624d49a96beb58c788dafb8bd5273965851afd7

  • SHA512

    9b0460a57cf2ca5d186c824e9d263c3801073896f3381814ed2850aa2d3588cb4dbfc34c4bfacb1739caff99028004987d11048d9b2af0932928ea7876a5a6b4

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
    evasiontrojan
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 24 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b967f67061d815f1fe82f510cdb90e30N.exe
    "C:\Users\Admin\AppData\Local\Temp\b967f67061d815f1fe82f510cdb90e30N.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
      "C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:936
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5488da9a-be9f-48ec-a0ec-0f9073901e91.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
          C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2188
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a58417a6-fe18-47f9-9aa9-1b7e71280e83.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
              C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2688
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3bc3899-1662-43d6-819b-e8f497357b8f.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2520
                • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                  C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:3044
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fa88b9a-4be2-406f-b2ec-c03adfbdcba2.vbs"
                    9⤵
                      PID:1660
                      • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:332
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7e27b1-7d7d-4515-9325-431a36b05235.vbs"
                          11⤵
                            PID:1700
                            • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                              C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1916
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a5fcfe6-a6d3-4892-9ebe-d63456a1ecae.vbs"
                                13⤵
                                  PID:2616
                                  • C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                                    C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2964
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ef8da61-70c1-42d0-bebd-fc4ad6ad03bf.vbs"
                                      15⤵
                                        PID:2700
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3242006-88ac-44e3-9d0b-db38ee6d7c0c.vbs"
                                        15⤵
                                          PID:896
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7e629fd-d876-4786-b9ef-f9a60062b241.vbs"
                                      13⤵
                                        PID:1616
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b35f54b5-306d-41e6-835a-cd69173675b2.vbs"
                                    11⤵
                                      PID:2908
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec7b70e9-fa61-4387-8695-643883f16037.vbs"
                                  9⤵
                                    PID:2720
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08692168-680c-4d27-b9eb-7c860f5b0735.vbs"
                                7⤵
                                  PID:2704
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\350b0f8b-b59e-4a20-8ce8-7faf62184a9b.vbs"
                              5⤵
                                PID:2768
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09049aa1-dab7-43d6-89f2-7756e3121370.vbs"
                            3⤵
                              PID:2116
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2916
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2660
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2804
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2636
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2656
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2760
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b967f67061d815f1fe82f510cdb90e30Nb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\b967f67061d815f1fe82f510cdb90e30N.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2424
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b967f67061d815f1fe82f510cdb90e30N" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\b967f67061d815f1fe82f510cdb90e30N.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:548
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b967f67061d815f1fe82f510cdb90e30Nb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\b967f67061d815f1fe82f510cdb90e30N.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2620
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\CSC\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1516
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\CSC\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2212
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2020
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b967f67061d815f1fe82f510cdb90e30Nb" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\b967f67061d815f1fe82f510cdb90e30N.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1916
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b967f67061d815f1fe82f510cdb90e30N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\b967f67061d815f1fe82f510cdb90e30N.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2676
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b967f67061d815f1fe82f510cdb90e30Nb" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\b967f67061d815f1fe82f510cdb90e30N.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2036
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1292
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:940
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2696
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2984
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2068
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1616
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1204
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2228
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2180
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2456
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2520
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2472
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2960
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2464
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2496
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1228
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1928

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\b967f67061d815f1fe82f510cdb90e30N.exe
                          Filesize

                          4.9MB

                          MD5

                          b967f67061d815f1fe82f510cdb90e30

                          SHA1

                          20aea4fb66adec15d011575fea8804d7e28d3db3

                          SHA256

                          2305748d71cd65d0b89c97e0b624d49a96beb58c788dafb8bd5273965851afd7

                          SHA512

                          9b0460a57cf2ca5d186c824e9d263c3801073896f3381814ed2850aa2d3588cb4dbfc34c4bfacb1739caff99028004987d11048d9b2af0932928ea7876a5a6b4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\09049aa1-dab7-43d6-89f2-7756e3121370.vbs
                          Filesize

                          513B

                          MD5

                          27338da1edba4432e38cc46883e04036

                          SHA1

                          a3e7e4f3cedb8ee72a4d78b3ee4d2fbfba0e092e

                          SHA256

                          f3668b9087908c655fa0482acf9f727d48d1c00c65d5d7167898d5c58eb831f0

                          SHA512

                          8f09da88b8ae566e735da9716c04a4d591ca2d4ff6d260d80d3e055964680ce666b4fbefdd4c899f262c77b9c9f17ba84b1d717d1212beb1165fb8560e2bd8ab

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\2a5fcfe6-a6d3-4892-9ebe-d63456a1ecae.vbs
                          Filesize

                          737B

                          MD5

                          8c1e5d6f639798afc1952dd6eae746af

                          SHA1

                          95c00d770fb559688a431066c7f28c5e224ae1a0

                          SHA256

                          c67683d117c563238f7ed84736e892c41cfc31f29d8302592b083617a2081421

                          SHA512

                          a75f1fcf1cf56ac6d4c2d4e6284aeb4fa5f3029264bac979d87c3e5d3122eb2a5dc070d8cfdc591d7900576192e98d5caef493f32b1100f0f51b7729c51c26ba

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\5488da9a-be9f-48ec-a0ec-0f9073901e91.vbs
                          Filesize

                          736B

                          MD5

                          bd90f42082fa10e23dedc04a6e59d17a

                          SHA1

                          6d9da94b39a3253395703d26be4d6325250dbd78

                          SHA256

                          b25fef85bd76f98f84fb4f3d26597dfe9d0edc294b74796f5f79c21fa3ac7a05

                          SHA512

                          6c9ba5d978fff06a5f9d862b92cf48210768f622314b2232fcfd0fef0c34f0fa692d4c820c77401ba579b7cd2945f37e5eacdfbd0e5bba28b73dce3a6cc5f9ad

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\6fa88b9a-4be2-406f-b2ec-c03adfbdcba2.vbs
                          Filesize

                          737B

                          MD5

                          4603b6305ddc40e93eaa2c02c112089c

                          SHA1

                          6df57e18206ea7cc28cd385cc127e92fbe42e30b

                          SHA256

                          483d7f3a75b6fae753c43fa83285a48c9708680175578877bb210db0d1da5d62

                          SHA512

                          3ec9e9c9717d82955f90c953bf6f7bcdeea4f3ded1a72197f4c1348c95931d280c534163b808af3c00727a0f789de917476d5352d4931723bcb7655300f7e8df

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\8ef8da61-70c1-42d0-bebd-fc4ad6ad03bf.vbs
                          Filesize

                          737B

                          MD5

                          f533212dc1c2a09a35c33e3114007273

                          SHA1

                          b10791c8d7fcd8e8510bf4507632da64d42e83a4

                          SHA256

                          0f891816841f968052040a2c523b83f945c089d98a6a8037abcebebfc7695a5b

                          SHA512

                          8abde8d8c10c1b15e05cec2f952eb1941f5ca887c7ef2858feac8db6f10f0f9d7a109526657ffab1bdf38cb66623b83f58b4d916a93c2f5fa1a48e5caf528c52

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\a58417a6-fe18-47f9-9aa9-1b7e71280e83.vbs
                          Filesize

                          737B

                          MD5

                          72fc105ee40463755ee0b0b7671a9f55

                          SHA1

                          32fbfec8d72fb046df2b688f7ca447ebefc9d07c

                          SHA256

                          1fcea571b896d7e48cb66bf2d05134313ef1da0d1f26f7c3108dacc7f4a31d3d

                          SHA512

                          83d5845b3809aec17f191974f12c3b30a729690765700842f4f2ebc6b08ff07b73c8758798f776fceb96f39094f391491a60ef2942089fbd1331010b838f9953

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\c3bc3899-1662-43d6-819b-e8f497357b8f.vbs
                          Filesize

                          737B

                          MD5

                          1424f7798ade4b245e250d51a0e7ec16

                          SHA1

                          5fb0ca2043cdd2af9da7f076e53a2e2f3f2186d5

                          SHA256

                          2e3d7f817a209fdf6d878ac7e24169a2da13bd5b9b1dddc64ce134b394d929f1

                          SHA512

                          13b0daba8a03d781b41c6c430ab734ea5ed853267ade90173eba54ce640f14e266852e5681116c3f865b18acc7844870d1b4a68b61d93879a9524106b9536bef

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\fa7e27b1-7d7d-4515-9325-431a36b05235.vbs
                          Filesize

                          736B

                          MD5

                          39de6b91c06b8b9fb3dc454f5cac5b06

                          SHA1

                          7b1209063775218c9397cd80c85d06398bd581b4

                          SHA256

                          e61fab3719a8e645b9b895d248cc311024bcb862fc1f2109dda3a6cdcbcd9c29

                          SHA512

                          6bc4c63d57aa7a40cdd85e7f32ae73e6bfcce0280ea7c20d11de812c1040eebd740f1d4f7e906825b6f74d8ca2d5c01821bb61f8c97d43f5eeb0602497951877

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpC4A6.tmp.exe
                          Filesize

                          75KB

                          MD5

                          e0a68b98992c1699876f818a22b5b907

                          SHA1

                          d41e8ad8ba51217eb0340f8f69629ccb474484d0

                          SHA256

                          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                          SHA512

                          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          683bc8bf929aed5180ddf42a7a933a93

                          SHA1

                          703a5428e9d1715e1d7595e179781f3481dfca91

                          SHA256

                          502dfccfa1d7d366f60dc7960cdd855248b84049440e922c0453660484cb7da9

                          SHA512

                          9648fb9c3daf2ad1f3f5bf6b94baab6c1b263094fe5fc58b58d477511a7b8337e06a8c6d754787eae783773bca2083854582e45aad41e66c28e2212a929dcd47

                          Download Submit

                        • memory/332-239-0x0000000001390000-0x0000000001884000-memory.dmp

                          Filesize

                          5.0MB

                          Download

                        • memory/936-182-0x0000000000600000-0x0000000000612000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/936-160-0x0000000000F90000-0x0000000001484000-memory.dmp

                          Filesize

                          5.0MB

                          Download

                        • memory/2132-136-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2172-9-0x0000000000A90000-0x0000000000A9A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2172-10-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/2172-14-0x0000000000B60000-0x0000000000B68000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2172-91-0x000007FEF61E3000-0x000007FEF61E4000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2172-105-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2172-15-0x0000000000B70000-0x0000000000B78000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2172-13-0x0000000000B50000-0x0000000000B5E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/2172-1-0x0000000000C00000-0x00000000010F4000-memory.dmp

                          Filesize

                          5.0MB

                          Download

                        • memory/2172-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/2172-161-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2172-11-0x0000000000B30000-0x0000000000B3A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2172-16-0x0000000002500000-0x000000000250C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2172-0-0x000007FEF61E3000-0x000007FEF61E4000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2172-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/2172-2-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2172-8-0x00000000005B0000-0x00000000005C0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2172-6-0x00000000005A0000-0x00000000005B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2172-5-0x0000000000590000-0x0000000000598000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2172-4-0x0000000000460000-0x000000000047C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/2172-3-0x000000001B520000-0x000000001B64E000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/2188-196-0x0000000001140000-0x0000000001634000-memory.dmp

                          Filesize

                          5.0MB

                          Download

                        • memory/3020-143-0x00000000025A0000-0x00000000025A8000-memory.dmp

                          Filesize

                          32KB

                          Download