Overview

overview

10

Static

static

3

8a63ca3ec6...e4.exe

windows7-x64

10

8a63ca3ec6...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a63ca3ec651eab56e841df572af993ebcf682679da408227ca4837c2acc80e4.exe

  • Size

    4.9MB

  • MD5

    d8a7d085b8a5b157b2b1fae01a0e4a8b

  • SHA1

    3cf51e4dfc269f7573fe02303cf1a02f9ecccf2f

  • SHA256

    8a63ca3ec651eab56e841df572af993ebcf682679da408227ca4837c2acc80e4

  • SHA512

    d3003b5c98eff6571d895b0d98e54bde884b6f3b12ca8fdb8b98e1f6832e0982bec392bb2f317acb04bd905d40789795373955e31c802264daf35c9fd834ead0

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
    evasiontrojan
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a63ca3ec651eab56e841df572af993ebcf682679da408227ca4837c2acc80e4.exe
    "C:\Users\Admin\AppData\Local\Temp\8a63ca3ec651eab56e841df572af993ebcf682679da408227ca4837c2acc80e4.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1788
    • C:\Users\Default User\winlogon.exe
      "C:\Users\Default User\winlogon.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2728
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb89947f-63c7-46d6-a93f-ead9f6920c57.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Users\Default User\winlogon.exe
          "C:\Users\Default User\winlogon.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1520
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb608a3a-daec-4f11-85b0-457cf09ff4cc.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Users\Default User\winlogon.exe
              "C:\Users\Default User\winlogon.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3068
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22574535-0219-48d5-b662-9d93d620a3cb.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2520
                • C:\Users\Default User\winlogon.exe
                  "C:\Users\Default User\winlogon.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2928
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5e3d5c-40a3-4256-9d97-db8c803c2942.vbs"
                    9⤵
                      PID:2484
                      • C:\Users\Default User\winlogon.exe
                        "C:\Users\Default User\winlogon.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2076
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4481ca-6482-49da-861a-7a6debfce00a.vbs"
                          11⤵
                            PID:768
                            • C:\Users\Default User\winlogon.exe
                              "C:\Users\Default User\winlogon.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2416
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab8f3356-ccbe-47d6-96a5-fd733e0b9e79.vbs"
                                13⤵
                                  PID:2044
                                  • C:\Users\Default User\winlogon.exe
                                    "C:\Users\Default User\winlogon.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2908
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd703340-3e42-4013-aea8-2d1d3ff1911f.vbs"
                                      15⤵
                                        PID:1036
                                        • C:\Users\Default User\winlogon.exe
                                          "C:\Users\Default User\winlogon.exe"
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1912
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65acdb6b-adb4-427f-be42-b93680e25fa0.vbs"
                                            17⤵
                                              PID:2780
                                              • C:\Users\Default User\winlogon.exe
                                                "C:\Users\Default User\winlogon.exe"
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1660
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abd83568-6f7d-4041-8f9e-4665e70f5a8d.vbs"
                                                  19⤵
                                                    PID:968
                                                    • C:\Users\Default User\winlogon.exe
                                                      "C:\Users\Default User\winlogon.exe"
                                                      20⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:1168
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272c13f0-07a1-4cb1-a611-293d4f6255a5.vbs"
                                                        21⤵
                                                          PID:1324
                                                          • C:\Users\Default User\winlogon.exe
                                                            "C:\Users\Default User\winlogon.exe"
                                                            22⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:684
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31161cbe-1336-46c3-805b-018442301620.vbs"
                                                              23⤵
                                                                PID:1764
                                                                • C:\Users\Default User\winlogon.exe
                                                                  "C:\Users\Default User\winlogon.exe"
                                                                  24⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:2520
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fc382aa-def1-4279-88d8-7cb6771fee53.vbs"
                                                                    25⤵
                                                                      PID:2476
                                                                      • C:\Users\Default User\winlogon.exe
                                                                        "C:\Users\Default User\winlogon.exe"
                                                                        26⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:1728
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5171fc22-64d2-49ab-8770-b77ecc6e66bd.vbs"
                                                                          27⤵
                                                                            PID:3000
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07459a59-eebc-4073-82ab-650d3827bd73.vbs"
                                                                            27⤵
                                                                              PID:2644
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9813627-b795-404d-b543-5fafed670834.vbs"
                                                                          25⤵
                                                                            PID:2500
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b138061-c555-45d7-9605-285ecfe5b050.vbs"
                                                                        23⤵
                                                                          PID:2400
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb66a6a8-92ac-40c9-9867-b98377574400.vbs"
                                                                      21⤵
                                                                        PID:768
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5166e4bb-31c5-42a5-b08a-47e8833e46f8.vbs"
                                                                    19⤵
                                                                      PID:2076
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b8854e6-bff1-4b32-a3b7-b063a370ec08.vbs"
                                                                  17⤵
                                                                    PID:1064
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d4f8804-f7ad-41ee-a4f5-6265dda4ba84.vbs"
                                                                15⤵
                                                                  PID:1556
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c535c624-c8e3-4c6d-bb8f-5952a8450844.vbs"
                                                              13⤵
                                                                PID:2604
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4491fc8d-f9ed-4836-bada-1d9fd4fbc3ef.vbs"
                                                            11⤵
                                                              PID:2588
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eb8a1c0-b577-49ee-8d6c-f3afb7096338.vbs"
                                                          9⤵
                                                            PID:924
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d85d098-2a72-4050-8048-e32dd74e69e5.vbs"
                                                        7⤵
                                                          PID:2168
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0fde016-b379-4090-8369-a0b2bf2771b7.vbs"
                                                      5⤵
                                                        PID:2620
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5211d0e-d4bd-4fdb-a564-f7396a6b96e2.vbs"
                                                    3⤵
                                                      PID:1844
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2612
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2628
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2732
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2228
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2276
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:536
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1064
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1660
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2192
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:352
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:812
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2304
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1732
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1872
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2916
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2696
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1748
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1968
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2984
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2248
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:988

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files\Windows Sidebar\taskhost.exe
                                                  Filesize

                                                  4.9MB

                                                  MD5

                                                  d8a7d085b8a5b157b2b1fae01a0e4a8b

                                                  SHA1

                                                  3cf51e4dfc269f7573fe02303cf1a02f9ecccf2f

                                                  SHA256

                                                  8a63ca3ec651eab56e841df572af993ebcf682679da408227ca4837c2acc80e4

                                                  SHA512

                                                  d3003b5c98eff6571d895b0d98e54bde884b6f3b12ca8fdb8b98e1f6832e0982bec392bb2f317acb04bd905d40789795373955e31c802264daf35c9fd834ead0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\22574535-0219-48d5-b662-9d93d620a3cb.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  0821c216161ebeaa36a1fe95fa7deb13

                                                  SHA1

                                                  08b50c5cbb78e75069d31808ad136f3f5c6e5c70

                                                  SHA256

                                                  c1731a97bf6849283a2f60bca13c19f0bcef0031ca02d4e41fa906bd5a45d1c8

                                                  SHA512

                                                  527b668e75a672d8810e671dd157a25e75eeee667b43a1bd0e273d6b16918ab46561fd8ac7067b47181e4325696f134db4f2ef2662c743573e231b775339400b

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\272c13f0-07a1-4cb1-a611-293d4f6255a5.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  b49f7ad49bec3f5d5966d65494ad002e

                                                  SHA1

                                                  d95c2a65d85c1173a1b527f1df48946dd45fa4c5

                                                  SHA256

                                                  4a006df1d8dde5b60296d6874d10841e2b307085e1159815aa08bea8c6465f05

                                                  SHA512

                                                  c5e8e3c4af13e413ec7e5a9a2ef42039a8724264a3904c35e937eea24ecad92aa7b405f33b41618dadc9d18caec2c356ed860485044aace5ef7ac2de6b4a5373

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\31161cbe-1336-46c3-805b-018442301620.vbs
                                                  Filesize

                                                  709B

                                                  MD5

                                                  0d2c5fa91a3927b61ee4d7b21f8caf5a

                                                  SHA1

                                                  3522336541ace954d2f478b03d4edbd6a083c93b

                                                  SHA256

                                                  555cb1d7ab0616f3a6b5d75a271150ade82336d679c905f9c2685db7853efc0b

                                                  SHA512

                                                  3c8586936e52e682cdac2bafd57b8050ee1ae1b2fc7d6a2be792f668bc72c4fa483690cfef0c99852be2c25b90d450b41d9e8a55602c04b2fa6ea500ddab0f39

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\5171fc22-64d2-49ab-8770-b77ecc6e66bd.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  da3b3f7cf68c0eae6ac9df1bb9234ca1

                                                  SHA1

                                                  a2269b5581c545148e0a1564dc1aab898f925353

                                                  SHA256

                                                  97d1cb6646308c3a06cb4e64ac735a4222aa76a138306ba5ceb8ee2ca948748d

                                                  SHA512

                                                  3797f3c1625b7cd3c6257a4d29a9e20498445f428c9a69c6bb7cd6210e08aa53f37da4dcfc7810112367d467a4b2c23793207755dec2dc42893e56f7f21ae961

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\5fc382aa-def1-4279-88d8-7cb6771fee53.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  ee703e9230a4fb04c377f492a58c9acd

                                                  SHA1

                                                  78184978bdc6953d2b324ef091b1b836d01df749

                                                  SHA256

                                                  abbb143b59470b550584bfc14bd3cb36e02274115b14410c224720da613e2cc6

                                                  SHA512

                                                  339839cce75f2f0f410792d4409ed007e093b31163146a084f166de9101db32af2bd9cbb602f48b19e4d12f8e87e92d7b8fbad92cace9f80c3d93241703fff65

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\65acdb6b-adb4-427f-be42-b93680e25fa0.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  675d5d6da7c6883a2256f88daf7ec3d4

                                                  SHA1

                                                  f6e51d50917d3cdb5ebee7fafcf118cbb0bdc3ab

                                                  SHA256

                                                  f7d0aca3e9e4e403025f1d7d69c24fdb3741645c1a3b7608a9face83b69a1e1a

                                                  SHA512

                                                  a6ca09b71bed48ad03f5229abc11cf7675dc81a2878f018b7be296e135495306aa3db9d69929e100d33f475524f786defef3e67a6fd862de4ac6290e6e9bbf88

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\9f4481ca-6482-49da-861a-7a6debfce00a.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  2c1533ed031d14afc66a8f6f808f3144

                                                  SHA1

                                                  c9d32de564e4bd65538a4c8b84084bb44b3f92e2

                                                  SHA256

                                                  1df4f30ef29cf4c745c52f0bc54e5b89888ce87e2400565ea3296f48a54bcce0

                                                  SHA512

                                                  1d3671a27d07d9284f292123a5ac2f9529972f9cd045427e461c9823e2c4c9052db868356f6755d3e4c6e86f530d0b8a036e78ce3c2c4b6861c7a0e3ba00db8c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\ab8f3356-ccbe-47d6-96a5-fd733e0b9e79.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  f3c84f27e1bd28966b68100a63ea03fb

                                                  SHA1

                                                  9bba9ad62b966f9b926436f5b82a9d13b5fa95f3

                                                  SHA256

                                                  56e505a60da2810032e2bb5633ddb3398e04433d090fd3ffa512e9c7adeafe14

                                                  SHA512

                                                  4bcb1e77060767de915fa40891473fec7b4f64aa38d337ff190eff018dbcf56644db8d0d1d855eb26ea8f74fa104dc07340cfe99cb900928b7e3cb1c202db1ef

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\abd83568-6f7d-4041-8f9e-4665e70f5a8d.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  6f01abef51c25168a7a51c7021dad84c

                                                  SHA1

                                                  cdc3f21520e794814a2e0432733a7d71795547ca

                                                  SHA256

                                                  e79e74ea63b1442aab795a31f3da54a71f33d614429c02ce202383d00f41290d

                                                  SHA512

                                                  c38199b07feb0fd686d73c7ed152609475160f62b246489a385cf9c87fc4c40082f2eadeee2f394101f7070cde7192ed3c1f9440590dedcb70cdf0a7161533e0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\bb89947f-63c7-46d6-a93f-ead9f6920c57.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  2107f2bb32db48bc3d080aa347686f43

                                                  SHA1

                                                  0951585250286f0de68d20a24e7edd97709d618a

                                                  SHA256

                                                  10efa35a2e71910c161610f8b84813913819a906af6980ea8c8805acbf9d4ed7

                                                  SHA512

                                                  fc4ac10c55e74aae347fe50f8858cb644c400ca543ff1c01f8fdf3fb93d9122a58083eba2d135ab2ab97e3552eb10364fde2f8c3be4afd1372e7c893be7884bf

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\e5211d0e-d4bd-4fdb-a564-f7396a6b96e2.vbs
                                                  Filesize

                                                  486B

                                                  MD5

                                                  1cedf77946a1d1fef4ab0e5fccf66dc2

                                                  SHA1

                                                  c11c11f5e1f2c72f6062167be795bef0d1fc682d

                                                  SHA256

                                                  6e9c55a014b7238fcbb72684c176e7faa00be3bb4623f1f01943799b6bde6b3c

                                                  SHA512

                                                  88c3d3b69de62476347282a1eda7be6956aa7b6cce8ded3fff615eae509aa0b50bd20fe4774774945c5abffacb8efda99e4ec979bc05204eb3565c51cc1031fc

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\ea5e3d5c-40a3-4256-9d97-db8c803c2942.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  dc5dca7053de36b41e88fa33aba6479d

                                                  SHA1

                                                  5e5bc238fe019ab12c5914f9100b7f5c92fe673c

                                                  SHA256

                                                  841171191962baca7acd33cd131a38268eb81034eeec6efe2961a09bffd64825

                                                  SHA512

                                                  f3fce1858ed2fef8360d0dcc77687aac58cdc4e0d4aa17fb687d88355da0fb6332b13662b5d9ad036e543229f7f5f0144087e32a206678eb37289e154d7e9ea4

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\fb608a3a-daec-4f11-85b0-457cf09ff4cc.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  2ccfbfb12cb6ca2e6d12dedf5d61edac

                                                  SHA1

                                                  2fefdc1cf5fd79bd1e6d8c981beb2524a63a3620

                                                  SHA256

                                                  34cfe3f91ce9e98ea9976f08b1120bf1a707cb424e8c994dc5756aa607db8f31

                                                  SHA512

                                                  35f37b097268296de214abbe21ed15b606d8514deacae92499546faeebb99e1502ecbb2bcc3d0f7abc3d24a706cba33d3af0c72a6a7b77067318a8db218bc009

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\fd703340-3e42-4013-aea8-2d1d3ff1911f.vbs
                                                  Filesize

                                                  710B

                                                  MD5

                                                  e0ce8f8a73c17aab97ab16776109c8e7

                                                  SHA1

                                                  5a20f65a39c04dbc0f6809c9cb52f3cd6b0799ae

                                                  SHA256

                                                  a5cfd9ff48b2fc4b0a40fc9b90f14bf4f38e87a3619cbd18937e127133e9cd2a

                                                  SHA512

                                                  e57424e78c259c01c74401254b912ac073b05b8f407f1690cab4fd8fd5ab89a7006acbd99b225872715fd57ceaadf88d9070156ea81cfbe8ab3df7306b79cd35

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmp7907.tmp.exe
                                                  Filesize

                                                  75KB

                                                  MD5

                                                  e0a68b98992c1699876f818a22b5b907

                                                  SHA1

                                                  d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                  SHA256

                                                  2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                  SHA512

                                                  856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                  Filesize

                                                  7KB

                                                  MD5

                                                  08aeca668d8d0e938dd055a8d83945d5

                                                  SHA1

                                                  eb7410dda4defd18c0c172a2f8b9af7ff14007ce

                                                  SHA256

                                                  a93773659a4b895afae940149016fb2aeb1a80c956c5a59c24eea0dbb26f5c21

                                                  SHA512

                                                  9e8833c45ab24b51f0be8d2b641e0385a890957bd6f1d796f3fb0165731d2d1daf56848f978f3e7411e30ce5d8b3b01a22913c9e422eb51a968734b77f1867f6

                                                  Download Submit

                                                • memory/1100-103-0x0000000002040000-0x0000000002048000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/1728-323-0x0000000000CE0000-0x00000000011D4000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/2168-97-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                  Download

                                                • memory/2372-11-0x0000000000C30000-0x0000000000C3A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/2372-10-0x0000000000C20000-0x0000000000C32000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/2372-148-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                  Download

                                                • memory/2372-1-0x00000000012E0000-0x00000000017D4000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/2372-14-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/2372-16-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/2372-15-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/2372-13-0x0000000000C90000-0x0000000000C9E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/2372-2-0x000000001B220000-0x000000001B34E000-memory.dmp

                                                  Filesize

                                                  1.2MB

                                                  Download

                                                • memory/2372-3-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

                                                  Filesize

                                                  9.9MB

                                                  Download

                                                • memory/2372-12-0x0000000000C80000-0x0000000000C8E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/2372-4-0x0000000000420000-0x000000000043C000-memory.dmp

                                                  Filesize

                                                  112KB

                                                  Download

                                                • memory/2372-0-0x000007FEF6783000-0x000007FEF6784000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2372-5-0x0000000000530000-0x0000000000538000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/2372-6-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/2372-9-0x0000000000C10000-0x0000000000C1A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/2372-8-0x0000000000C00000-0x0000000000C10000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/2372-7-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/2416-222-0x0000000000B00000-0x0000000000B12000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/2520-308-0x0000000000040000-0x0000000000534000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/2728-127-0x0000000000FE0000-0x00000000014D4000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/2728-149-0x00000000008D0000-0x00000000008E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/2908-237-0x00000000013E0000-0x00000000018D4000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/2928-193-0x00000000002D0000-0x00000000007C4000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/3068-178-0x0000000000990000-0x00000000009A2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/3068-177-0x0000000000100000-0x00000000005F4000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download