Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 00:07

General

  • Target

    8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe

  • Size

    4.9MB

  • MD5

    5cc4d6abb8d7be81eb9e88cd2817782d

  • SHA1

    68d23b88f276fd956d0863067595c1f8d485df63

  • SHA256

    8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f

  • SHA512

    f4b7625e040a4fe325d3c417bb571767a28c737804f959b1326534b4a1fae014afb2e563680b48cecd1172c5d878c0dcd364d640653d7e24a380b31df50d611c

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe
    "C:\Users\Admin\AppData\Local\Temp\8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:776
    • C:\Users\Public\Videos\Sample Videos\explorer.exe
      "C:\Users\Public\Videos\Sample Videos\explorer.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:284
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13a04e06-5f7d-44a5-939d-6fa4d2b7c6b2.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Public\Videos\Sample Videos\explorer.exe
          "C:\Users\Public\Videos\Sample Videos\explorer.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2348
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e87d1b1-60dc-4056-afbf-2fa7dd58fb3d.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Users\Public\Videos\Sample Videos\explorer.exe
              "C:\Users\Public\Videos\Sample Videos\explorer.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:996
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5a84b9e-a387-4970-b61e-9c8055bf7fae.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Users\Public\Videos\Sample Videos\explorer.exe
                  "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:932
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc33de89-ca07-43a4-836b-87b0bce8b619.vbs"
                    9⤵
                      PID:2496
                      • C:\Users\Public\Videos\Sample Videos\explorer.exe
                        "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1968
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b647083-8e9a-4db6-af11-30198a1995dc.vbs"
                          11⤵
                            PID:1676
                            • C:\Users\Public\Videos\Sample Videos\explorer.exe
                              "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2188
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46864f68-4591-4343-b1ac-4f432f0b59b3.vbs"
                                13⤵
                                  PID:1796
                                  • C:\Users\Public\Videos\Sample Videos\explorer.exe
                                    "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2996
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dd29283-f4a0-40f9-8995-6e0a366adf30.vbs"
                                      15⤵
                                        PID:1368
                                        • C:\Users\Public\Videos\Sample Videos\explorer.exe
                                          "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2208
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9dc950a-ab1a-4262-bfb2-5c6050950b0a.vbs"
                                            17⤵
                                              PID:1976
                                              • C:\Users\Public\Videos\Sample Videos\explorer.exe
                                                "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2984
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5689abb-68bc-48fb-8b0d-a13c24f8aef4.vbs"
                                                  19⤵
                                                    PID:1860
                                                    • C:\Users\Public\Videos\Sample Videos\explorer.exe
                                                      "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                                                      20⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:1036
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04adb34f-895c-4eaa-93a0-d5b7c4eeae6e.vbs"
                                                        21⤵
                                                          PID:1504
                                                          • C:\Users\Public\Videos\Sample Videos\explorer.exe
                                                            "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                                                            22⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:1032
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc723351-23d3-43a3-9ba0-9f74e8f09162.vbs"
                                                              23⤵
                                                                PID:1712
                                                                • C:\Users\Public\Videos\Sample Videos\explorer.exe
                                                                  "C:\Users\Public\Videos\Sample Videos\explorer.exe"
                                                                  24⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:2056
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e73a70e7-7ff4-4cd6-aa6d-52b38dbb541a.vbs"
                                                                    25⤵
                                                                      PID:2352
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83dec92-8e39-4c3c-a3ad-10dcdab58075.vbs"
                                                                      25⤵
                                                                        PID:2300
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d628c0a-4024-4b5c-abb2-df27f67e2195.vbs"
                                                                    23⤵
                                                                      PID:2552
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\333a5f6d-adb3-4475-9f8e-adcd7c0bc2a0.vbs"
                                                                  21⤵
                                                                    PID:1988
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79046033-927a-46d5-ae2f-f807ea8007f2.vbs"
                                                                19⤵
                                                                  PID:1800
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37aac782-6c5e-40fa-972d-afa1d8435e18.vbs"
                                                              17⤵
                                                                PID:2196
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8931c8c9-3d19-4546-90ef-debc02d86d29.vbs"
                                                            15⤵
                                                              PID:1624
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0113779-4f79-456b-9a3e-25ba2a79bd59.vbs"
                                                          13⤵
                                                            PID:844
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\743be4c9-1177-419f-88af-4828bbb14507.vbs"
                                                        11⤵
                                                          PID:2060
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fe360a-097e-4f6b-afb2-7f0c0dca4a41.vbs"
                                                      9⤵
                                                        PID:2896
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ebd9746-6cce-4ab0-b273-dd06cec23a62.vbs"
                                                    7⤵
                                                      PID:1828
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f790def0-082f-4a06-aa11-46ac0bb8443c.vbs"
                                                  5⤵
                                                    PID:2212
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e1f6f4a-0308-4476-981d-cc6554b7efbc.vbs"
                                                3⤵
                                                  PID:2248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2676
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2780
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:768
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1476
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:380
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2384
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:568
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2096
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Cookies\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1736
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2984
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2544
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2076
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2340
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2404
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1192

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RCX7BCD.tmp

                                              Filesize

                                              4.9MB

                                              MD5

                                              7eae06f4acdad1ff18445d192cad535e

                                              SHA1

                                              e7e8de02f06c307f02e03a7b9f915dc964ffe559

                                              SHA256

                                              ef6c316ad5ea6eec16cd5672c67c1a15da3c367aa6730a1fcd542beb511173fa

                                              SHA512

                                              8c4d4020f6d26c232228f5310de1bc11573a5bcdbaf3beb5cfcd9bb9a4d9fd778748c548c8754ea7643d5871d6feb2efa26886c566575bee657ee636fd172e13

                                            • C:\Users\Admin\AppData\Local\Temp\04adb34f-895c-4eaa-93a0-d5b7c4eeae6e.vbs

                                              Filesize

                                              725B

                                              MD5

                                              685669892702afb182316f75295dc816

                                              SHA1

                                              4dc981aa46cfe52273f9b1a2dc6819a31c7b1655

                                              SHA256

                                              9dd336ff9a2fb6a37c862c563cb14a888e0a5d68f4ac045a7a690faf72f7538f

                                              SHA512

                                              7ca04395e3afcd8a7dbe49f02e4f020c4626e49e379e3586ee2be9c8fd43b76bbb7bbd80d113bcff2024f64459bd61814414d4f3c936b8586b03ce9cc7eb0fe8

                                            • C:\Users\Admin\AppData\Local\Temp\13a04e06-5f7d-44a5-939d-6fa4d2b7c6b2.vbs

                                              Filesize

                                              724B

                                              MD5

                                              c6ecd9ce31aedb4e117575b93becf68f

                                              SHA1

                                              3cb497af657aada458802530d2507d5516421001

                                              SHA256

                                              5cc711ad2aa70cfe9bc6efe7137b366487525c80700a9a0bb87e1d43cd259a88

                                              SHA512

                                              d92590c5405d4b20805dac80432ebf5372c010176dec8cabc323235a5649003a3fb72ccb66abc3a0bb2d1a4128aac9da07598cf994dfbc1a18e04450b0ce59c8

                                            • C:\Users\Admin\AppData\Local\Temp\46864f68-4591-4343-b1ac-4f432f0b59b3.vbs

                                              Filesize

                                              725B

                                              MD5

                                              7da46b3b958348fb5587332dc78f596c

                                              SHA1

                                              23d101e9754bcf346b09914cc33e4e09607ffcf9

                                              SHA256

                                              9af67bb85af256d2e54d0691c4f1d3173832c38d56a47133155173512289d482

                                              SHA512

                                              01e4e93c0429564659580a3b70941d716d36bd25fdd55e576f7b0b7a72ef51f24a51c5e9a79fcee72ac9191b32913ba4c3a63c3b446781e4c714abb45f369382

                                            • C:\Users\Admin\AppData\Local\Temp\4e1f6f4a-0308-4476-981d-cc6554b7efbc.vbs

                                              Filesize

                                              501B

                                              MD5

                                              f0ea5a505a8b31298417d089cafd6001

                                              SHA1

                                              183eb14ee9782a8c585b4dbfa0d1c5107b5826be

                                              SHA256

                                              1a61c229dd0e5331ca57f4668f1d2e10e1ac51a6eaafbc72997a6ed6e40deabf

                                              SHA512

                                              4ef34c3e300df51f3236d1c3be571fc851072640317785c04a37b5e89e4bf4d380811cb7f483cce368a7c629938cf543b2880e4eec5b0e084b14946013985272

                                            • C:\Users\Admin\AppData\Local\Temp\4e87d1b1-60dc-4056-afbf-2fa7dd58fb3d.vbs

                                              Filesize

                                              725B

                                              MD5

                                              3bc9c467686ae078e5777656f493404a

                                              SHA1

                                              40d5ec0de55b64aed431c25ad567a2bb80485b7b

                                              SHA256

                                              dd4e5b8315f67e3b5301e82301bc1c2d8a1f12e3efebc9d383c5ef59dec99159

                                              SHA512

                                              e22e462569a84b3c83bc7f5d338e0ec6ea5c8e0567161cec8d6297a613d885b32d987381ac93f1fcd2475eef1409a300090e9bbd79b2d71040737540906d0153

                                            • C:\Users\Admin\AppData\Local\Temp\6dd29283-f4a0-40f9-8995-6e0a366adf30.vbs

                                              Filesize

                                              725B

                                              MD5

                                              510ecc1f12f20f1f9e115f348e6375c6

                                              SHA1

                                              1a934adea1c0dca52badf4be3be8d29549658a87

                                              SHA256

                                              1deb24b0eed507323f9696e8206d75fd1b0d1ae8ff49f12b298cf539b07c1d93

                                              SHA512

                                              253d05050760c7ba3ab3e04b126221bb5bb11fc2a2e2fb2934ba92cd48e5c17d8164bf5d384a7dfa7e6a483a3a4c9c47ca01f8aa58f394e7e8e4ac1471919511

                                            • C:\Users\Admin\AppData\Local\Temp\8b647083-8e9a-4db6-af11-30198a1995dc.vbs

                                              Filesize

                                              725B

                                              MD5

                                              dd1fc73c29251c26e40cb56dcd6e7d72

                                              SHA1

                                              daeb3c293113f80577129e3ad9f9cf1960e09705

                                              SHA256

                                              d1ae1d102bee415cfe3de1f47acab9d0a98c015289b20d7df05b997320cf0f1d

                                              SHA512

                                              32dfe95f7947686028ddfa44972db2626d5a1a63543694af5830157866fb6563c2c0dcd9c67bf2d4d7dc19f1a9f297082c5a334729613aab2e6be01f20373009

                                            • C:\Users\Admin\AppData\Local\Temp\a5689abb-68bc-48fb-8b0d-a13c24f8aef4.vbs

                                              Filesize

                                              725B

                                              MD5

                                              5569f014ff994ae38fa00646d0bbf572

                                              SHA1

                                              4895decabe6bafc152a515c5eb8902f243866efd

                                              SHA256

                                              df7e075e9d7592115e80427dfd0f0b5d5bff96bafb3ef8b2ab951323148f1d84

                                              SHA512

                                              23d964513db860c09618a616867f924ebc3d034313f15fb6b8fb94c4b5b62275f142e9192ad9c5db9d9dca67cef0b4663ef1a85c7dbed500ceff3a1c80ba4f71

                                            • C:\Users\Admin\AppData\Local\Temp\a9dc950a-ab1a-4262-bfb2-5c6050950b0a.vbs

                                              Filesize

                                              725B

                                              MD5

                                              46521540af3156cbedc9624ef2477a6a

                                              SHA1

                                              c5a4650f25ef5f690762406fb04668cd1ecef991

                                              SHA256

                                              e4dc7d707daf5d4e839e2d0faa1564c7f0d085ed3eee345614efc7a34c261e01

                                              SHA512

                                              876e5cf31897585db8339820e9af3df3f88d48795495d507f73530041e93013e5e96ea888e011e65037bad61dc8f747de80d9b4f0624079f3aba5725da2f4cae

                                            • C:\Users\Admin\AppData\Local\Temp\b5a84b9e-a387-4970-b61e-9c8055bf7fae.vbs

                                              Filesize

                                              724B

                                              MD5

                                              c38d363d7366d49a71dd0b048dee2131

                                              SHA1

                                              09012a7f2eac38c6b02f7aab49a61ef992f8b1ec

                                              SHA256

                                              d375ec96dab01c092c795e994e182589d6fa247587b3429a0387465436a9ee98

                                              SHA512

                                              2cac2a28300cd2d456191aca0920421c17806358ca53046ba75299d89b3b86cd3405efc6541b23045ea6cf1f46992c8a432c97cbe0513049eaa05afade98d9f6

                                            • C:\Users\Admin\AppData\Local\Temp\dc723351-23d3-43a3-9ba0-9f74e8f09162.vbs

                                              Filesize

                                              725B

                                              MD5

                                              85b3186557762f8fa15991ddd6e78e09

                                              SHA1

                                              c250e861e390db200e1b439be297c085127a46dd

                                              SHA256

                                              2adc26343a7a2e16bec8203d61d26919e7309abfdafbc4f5206a7fb398cbbb73

                                              SHA512

                                              2bac90a1e048cab9c05035936d0944237e357400ae73a176b9aacd34e38d776c028c3c4f7adfff89752a002618f7ae682b51317e573596f84b8ce3aa5149d4b1

                                            • C:\Users\Admin\AppData\Local\Temp\e73a70e7-7ff4-4cd6-aa6d-52b38dbb541a.vbs

                                              Filesize

                                              725B

                                              MD5

                                              47ad856a20589134cd2ac0da794cb799

                                              SHA1

                                              bfbb77e69b5b5329bd3fd2e0651cf61b34fa937d

                                              SHA256

                                              13d6fe95adeb7c562acf16ba0b5de5f0650dc2b2ff9ebafa5cb80f7ef9ad3fc5

                                              SHA512

                                              816583437b552d4618e405f436344a1ea89933e677d1cbb5da0330de749da904403b71c38ad26a2e127aac72d7aa244484af94d9479b6231682d03f1d034677e

                                            • C:\Users\Admin\AppData\Local\Temp\fc33de89-ca07-43a4-836b-87b0bce8b619.vbs

                                              Filesize

                                              724B

                                              MD5

                                              3cd919913164929ed43ad653a57ee1ab

                                              SHA1

                                              c172dd39e27591c1045200fe6e256eca8eaf507d

                                              SHA256

                                              ed9f1891837666062b175aa3d5a4a4d4221fde496081d1735891071cb9651f7a

                                              SHA512

                                              a6e6a027fd299179b939b2d6b5b6cc9fa357c04dfedb725337820e234b7de68d562476a6632e7f720ed0a906084f9e773af925b60988bda539afd03f0b17acca

                                            • C:\Users\Admin\AppData\Local\Temp\tmp9398.tmp.exe

                                              Filesize

                                              75KB

                                              MD5

                                              e0a68b98992c1699876f818a22b5b907

                                              SHA1

                                              d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                              SHA256

                                              2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                              SHA512

                                              856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              5cf2c1f79c2914a685f046ad69fe268e

                                              SHA1

                                              4f3dfd70635354e5999429e9da4f6e3693de6bf2

                                              SHA256

                                              9803b087aadb48241c95bea94288f270564ed93e5928597832de92994496730c

                                              SHA512

                                              a0863357674de771dfaa02d2995484823b83614c687d81799b8b9274f8d12bb9004383690aa6b8544348d040b78dc31480d9550d58078cf5a54c8e0f06ec141c

                                            • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\System.exe

                                              Filesize

                                              4.9MB

                                              MD5

                                              5cc4d6abb8d7be81eb9e88cd2817782d

                                              SHA1

                                              68d23b88f276fd956d0863067595c1f8d485df63

                                              SHA256

                                              8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f

                                              SHA512

                                              f4b7625e040a4fe325d3c417bb571767a28c737804f959b1326534b4a1fae014afb2e563680b48cecd1172c5d878c0dcd364d640653d7e24a380b31df50d611c

                                            • memory/284-113-0x00000000001C0000-0x00000000006B4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/284-160-0x00000000024C0000-0x00000000024D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/932-205-0x0000000001130000-0x0000000001624000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/996-190-0x00000000003B0000-0x00000000008A4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/1032-305-0x00000000001B0000-0x00000000006A4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/1032-306-0x0000000000A20000-0x0000000000A32000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1036-290-0x00000000012E0000-0x00000000017D4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/1984-115-0x0000000002390000-0x0000000002398000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1984-111-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2056-321-0x0000000001390000-0x0000000001884000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/2348-175-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2348-174-0x0000000000E00000-0x00000000012F4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/2876-11-0x000000001AAE0000-0x000000001AAEA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2876-114-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2876-16-0x000000001AB30000-0x000000001AB3C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2876-15-0x000000001AB20000-0x000000001AB28000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2876-14-0x000000001AB10000-0x000000001AB18000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2876-13-0x000000001AB00000-0x000000001AB0E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2876-12-0x000000001AAF0000-0x000000001AAFE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2876-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2876-10-0x00000000023D0000-0x00000000023E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2876-9-0x00000000023C0000-0x00000000023CA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2876-8-0x0000000000B10000-0x0000000000B20000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2876-7-0x0000000000A70000-0x0000000000A86000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/2876-6-0x00000000007E0000-0x00000000007F0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2876-5-0x0000000000780000-0x0000000000788000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2876-4-0x00000000007C0000-0x00000000007DC000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/2876-3-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2876-2-0x000000001B4A0000-0x000000001B5CE000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2876-1-0x0000000000250000-0x0000000000744000-memory.dmp

                                              Filesize

                                              5.0MB