Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 00:41

General

  • Target

    287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe

  • Size

    4.9MB

  • MD5

    397875ccdde144b8118a6c31e9f2ddf5

  • SHA1

    2dd084fb6fcf3f88ec0e377e3d588e72db36a7e7

  • SHA256

    287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924

  • SHA512

    d596ef357651886280750397c6d46c2cd67c452dd66181ba6cee487c6b8f2780f6e9d7e313809860ff258507d3c05b6c0a13ecdb5527c8be54fb3e4ff84684d7

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8I:Q

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 27 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 18 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
    "C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1316
    • C:\Users\Admin\Application Data\wininit.exe
      "C:\Users\Admin\Application Data\wininit.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2336
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bd6bf1e-82de-4074-9d3a-2f057b677a82.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\Application Data\wininit.exe
          "C:\Users\Admin\Application Data\wininit.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2888
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\374262ac-dd5c-47d8-a475-2f7fadbe8def.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1968
            • C:\Users\Admin\Application Data\wininit.exe
              "C:\Users\Admin\Application Data\wininit.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2148
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107b22d1-7c6b-46c8-8e9e-025726b1afb8.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2228
                • C:\Users\Admin\Application Data\wininit.exe
                  "C:\Users\Admin\Application Data\wininit.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1568
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdcb3944-405b-4596-ac1d-fdd859fec1ea.vbs"
                    9⤵
                      PID:1532
                      • C:\Users\Admin\Application Data\wininit.exe
                        "C:\Users\Admin\Application Data\wininit.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2320
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76a1eac6-3a6c-4384-8fa6-5949679666c9.vbs"
                          11⤵
                            PID:2044
                            • C:\Users\Admin\Application Data\wininit.exe
                              "C:\Users\Admin\Application Data\wininit.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1980
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91c5bc0d-3f00-4824-933d-ea3553c7ab32.vbs"
                                13⤵
                                  PID:1916
                                  • C:\Users\Admin\Application Data\wininit.exe
                                    "C:\Users\Admin\Application Data\wininit.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1068
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a657ec6-44b2-4ec6-9668-0c4130d1fca1.vbs"
                                      15⤵
                                        PID:2688
                                        • C:\Users\Admin\Application Data\wininit.exe
                                          "C:\Users\Admin\Application Data\wininit.exe"
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2408
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a849ba9c-06b8-4add-8f2f-2acd07454c8e.vbs"
                                            17⤵
                                              PID:2280
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278454c5-440e-4ec1-addf-2e8ddafcbbca.vbs"
                                              17⤵
                                                PID:600
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff84e61a-55a0-4874-9bcf-8ebccc13a840.vbs"
                                            15⤵
                                              PID:2984
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a58d0fe-d03a-41e3-b01e-52e23b2fa382.vbs"
                                          13⤵
                                            PID:2868
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6033a3c-4160-42f4-bb78-562d5f0dc5bb.vbs"
                                        11⤵
                                          PID:2656
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0415fb31-567b-4a2c-95cc-fdd050bc24f8.vbs"
                                      9⤵
                                        PID:1996
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9963650b-c13b-4c17-b360-9a87926a7810.vbs"
                                    7⤵
                                      PID:1360
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fa166ea-e88a-4227-9b7f-2d0d17066c5f.vbs"
                                  5⤵
                                    PID:1516
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5db8d149-89a6-4816-980b-601fef0c9c54.vbs"
                                3⤵
                                  PID:1772
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2804
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2816
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2716
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2788
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2708
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2824
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2760
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2812
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2608
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2712
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2644
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:3048
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2580
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1036
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2032
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1724
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2652
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2500
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:620
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1304
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1540
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1584
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1740
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1500
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2768
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2908
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1004
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\Idle.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2200
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1624
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2352
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2576
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1084
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:848
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2572
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2980
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1260
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:956
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1228
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2556
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2224
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1980
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1940
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:896
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1776
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:864
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2868
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2512
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:3056
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:868
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:676
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:884
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1560
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1420
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1968

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files\Windows Defender\ja-JP\RCXDB9D.tmp

                              Filesize

                              4.9MB

                              MD5

                              ee54e451e2874e9bce1b0d2343319f0d

                              SHA1

                              e8965dc7fa9448bc77160a1d90c6cc03251e8fa3

                              SHA256

                              f01ce3e5e55c3c5948ce01ceb3884898ac34b90a60c0bf2f08b75a1f326c281e

                              SHA512

                              4ae99cc7c1483f25951ff3d698cd21bfdab289de66ec10d16178e613e539982f151d4f092ad407cb55e166816fd9e618003ed8044d32660c80bb5edb3296ee1f

                            • C:\ProgramData\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe

                              Filesize

                              4.9MB

                              MD5

                              397875ccdde144b8118a6c31e9f2ddf5

                              SHA1

                              2dd084fb6fcf3f88ec0e377e3d588e72db36a7e7

                              SHA256

                              287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924

                              SHA512

                              d596ef357651886280750397c6d46c2cd67c452dd66181ba6cee487c6b8f2780f6e9d7e313809860ff258507d3c05b6c0a13ecdb5527c8be54fb3e4ff84684d7

                            • C:\Users\Admin\AppData\Local\Temp\107b22d1-7c6b-46c8-8e9e-025726b1afb8.vbs

                              Filesize

                              719B

                              MD5

                              e3c7616b65878eb2e2f5ad6f20f7baa0

                              SHA1

                              892149bea31e2fd65cacc72b4b7c629fcbf50782

                              SHA256

                              8202175de45b1c60a6080fd24dae8f8a2299b1bc7ea5bd5b4fbb69b5246d0982

                              SHA512

                              bb83539767953212a936d8f446243e87c5b49b50ff258ab9ce38d649691567f4581635fde12e5a395b19bed1ab64b4d67f1cb008e8cbc55c8ced117d9f77adde

                            • C:\Users\Admin\AppData\Local\Temp\374262ac-dd5c-47d8-a475-2f7fadbe8def.vbs

                              Filesize

                              719B

                              MD5

                              5f330f0626c4f53f705bf48cd3a54418

                              SHA1

                              0dabb32b0928834fda088622ec168d4bd2ffe010

                              SHA256

                              db88df62a62ccfc1f737d164cd34327904cbc5e3d69bb886b69356c859a5218d

                              SHA512

                              048a4a5b35c4ed153af9cf9ea60290a74ae531e18538cfdf9413f25ce3e5e03b815681532be76da1e50f23627fc5e57e95d8136d6a272cdbb65faf256334f4f8

                            • C:\Users\Admin\AppData\Local\Temp\4a657ec6-44b2-4ec6-9668-0c4130d1fca1.vbs

                              Filesize

                              719B

                              MD5

                              5c4166b9e2d44b7696b82de8e0514a83

                              SHA1

                              c3d9c314e6ef48eb9010d02fa62fb423d6a14961

                              SHA256

                              2cd425e6fcdcd1675246007c7972a7aa1e21f51aaaee1400bbb7bf42e70ea644

                              SHA512

                              5afb61032bec34564185f3860a3ca89e4a6169642b22a75219ab055a48850948d1e14fc75105258de1b7b3208486a1e9f364c500d73a6909cea5437dfd3008dd

                            • C:\Users\Admin\AppData\Local\Temp\5db8d149-89a6-4816-980b-601fef0c9c54.vbs

                              Filesize

                              495B

                              MD5

                              a9bb6097d17200080b3825e9fad638ec

                              SHA1

                              8987716ba4f37ad171eec62b1004a790833cba4e

                              SHA256

                              32dbda849fb5b47c7ea0e3fadade31d5548240dd2fe8a447b6959203457cf329

                              SHA512

                              4f534afe3b0a29120a64305b580b979dfbff0c6b2d893565a778d5447b23ae398d087d38f2e62354d4b2d596e8042048f3c2f7a7fab3ffe2e0c2c64b277c5493

                            • C:\Users\Admin\AppData\Local\Temp\76a1eac6-3a6c-4384-8fa6-5949679666c9.vbs

                              Filesize

                              719B

                              MD5

                              ac2dae5fe9829bd17f82c1e9abb10ee8

                              SHA1

                              4e8f9c50266dccf08294b859ed3c8fed211261b7

                              SHA256

                              cb0d2389c7e27264f561b2bd3957ee4fdc640f7e86b6108ac14b9a93c1f7bdba

                              SHA512

                              78ea2db51f8ef2bd420cd41d1470e7f7326d424b4cfe5a83247feabafbd67bb5bd7c83eff4981a30b7908113cf6b0e6c5df492fb347ddb3bc9cfc301a4d4b39a

                            • C:\Users\Admin\AppData\Local\Temp\8bd6bf1e-82de-4074-9d3a-2f057b677a82.vbs

                              Filesize

                              719B

                              MD5

                              f8cfc3f9946432a996628333174d264b

                              SHA1

                              b93256a2b4e8bc423df80913ed3d145e1197cbee

                              SHA256

                              e5679d2556b1386ed6c5d0cbc81a4689275e40f6c23353d5a7c13e9da2b51870

                              SHA512

                              6756cdd649ce35dd42f0f205c1858bdd65345bcccdaaa9dda56fc7d6edf60a4b46bf5d3ba4a034438497b82a3814fe7c65ab76210efaba4bb2c833bb402f6c3d

                            • C:\Users\Admin\AppData\Local\Temp\91c5bc0d-3f00-4824-933d-ea3553c7ab32.vbs

                              Filesize

                              719B

                              MD5

                              5819be66f4220bdf573614a1e20a7e0b

                              SHA1

                              67dcce478d139d74ebb8719d6d5d51fc3a9af3dd

                              SHA256

                              35693f3a839e3140e7877c6f31b448030f882c59cc02cdd3b9ef07bfd4728cc6

                              SHA512

                              2eeaa7c5b01c4e4328d23860987f6a4425f4d5ca908781d84f83f0be4015900b2e4bbc387ea2a138b11aa84d0038741d14a47929c08f930395ab72b7267e8d4a

                            • C:\Users\Admin\AppData\Local\Temp\a849ba9c-06b8-4add-8f2f-2acd07454c8e.vbs

                              Filesize

                              719B

                              MD5

                              c3c6864bbca422079612c035846c14da

                              SHA1

                              90619d30b38931ba93b42b03ce6df43753e3198e

                              SHA256

                              28ed01cd9bff28482f912c89e27bcbcce2aeb31e49ce55115cf982564455f42f

                              SHA512

                              0b905585dd00621398548e5f3fea782910f0e48b8ae63d1b752f694214085ebb92456b02f729d0b00bb9ab35b98565df4316680c26bd39c89c22f684e86e7956

                            • C:\Users\Admin\AppData\Local\Temp\bdcb3944-405b-4596-ac1d-fdd859fec1ea.vbs

                              Filesize

                              719B

                              MD5

                              5dc71af99b7c08bbdcba45c45882475b

                              SHA1

                              cfe6bed4a50a124212ea883316f63d12c736859c

                              SHA256

                              5ef9d1e421d6b08abe28166ede5848681b0a11b593b2f3a19ae7b1a67d8f9974

                              SHA512

                              5e9ea81393288bf57290d6f86bfa9fd7d5021560da6c458d8b55960dee25a7364241613fc1f06aea74a2cc899f7c10edaf99f38f94af94b8c07cdbfd3975d7ed

                            • C:\Users\Admin\AppData\Local\Temp\tmpFB5F.tmp.exe

                              Filesize

                              75KB

                              MD5

                              e0a68b98992c1699876f818a22b5b907

                              SHA1

                              d41e8ad8ba51217eb0340f8f69629ccb474484d0

                              SHA256

                              2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                              SHA512

                              856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KW616HCW37JRWJER9M4R.temp

                              Filesize

                              7KB

                              MD5

                              1b0cc943f29854eeae0ae7511a488ad3

                              SHA1

                              f4d0e988c521b310a52e62d51b23e355b1132125

                              SHA256

                              dd2ba0472641ebf30f4e9fffc41179e56dee84ce09d3bb59c3d4f37106f38cb1

                              SHA512

                              dd524fe3db0f8a8a2f61596df26745b5284b1474a33f6c164dbcb47298d52a23b48d5351e0815ec9a3f51d3ceeefeed79b0d7f3ada8eba33d28454bea4a3170f

                            • memory/404-250-0x0000000001E30000-0x0000000001E38000-memory.dmp

                              Filesize

                              32KB

                            • memory/404-249-0x000000001B500000-0x000000001B7E2000-memory.dmp

                              Filesize

                              2.9MB

                            • memory/1068-339-0x00000000008E0000-0x0000000000DD4000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/1568-295-0x0000000000FD0000-0x00000000014C4000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/1980-324-0x00000000000E0000-0x00000000005D4000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/2148-280-0x0000000000B90000-0x0000000001084000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/2336-231-0x0000000000040000-0x0000000000534000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/2408-354-0x00000000011F0000-0x00000000016E4000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/2888-265-0x0000000000A50000-0x0000000000F44000-memory.dmp

                              Filesize

                              5.0MB

                            • memory/3016-10-0x0000000000C50000-0x0000000000C62000-memory.dmp

                              Filesize

                              72KB

                            • memory/3016-251-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/3016-155-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/3016-140-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

                              Filesize

                              4KB

                            • memory/3016-16-0x0000000000E70000-0x0000000000E7C000-memory.dmp

                              Filesize

                              48KB

                            • memory/3016-15-0x0000000000E60000-0x0000000000E68000-memory.dmp

                              Filesize

                              32KB

                            • memory/3016-14-0x0000000000D10000-0x0000000000D18000-memory.dmp

                              Filesize

                              32KB

                            • memory/3016-13-0x0000000000D00000-0x0000000000D0E000-memory.dmp

                              Filesize

                              56KB

                            • memory/3016-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

                              Filesize

                              56KB

                            • memory/3016-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

                              Filesize

                              40KB

                            • memory/3016-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

                              Filesize

                              4KB

                            • memory/3016-9-0x0000000000620000-0x000000000062A000-memory.dmp

                              Filesize

                              40KB

                            • memory/3016-8-0x0000000000500000-0x0000000000510000-memory.dmp

                              Filesize

                              64KB

                            • memory/3016-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

                              Filesize

                              88KB

                            • memory/3016-6-0x00000000004D0000-0x00000000004E0000-memory.dmp

                              Filesize

                              64KB

                            • memory/3016-5-0x00000000004C0000-0x00000000004C8000-memory.dmp

                              Filesize

                              32KB

                            • memory/3016-4-0x0000000000420000-0x000000000043C000-memory.dmp

                              Filesize

                              112KB

                            • memory/3016-3-0x000000001B520000-0x000000001B64E000-memory.dmp

                              Filesize

                              1.2MB

                            • memory/3016-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/3016-1-0x0000000000F60000-0x0000000001454000-memory.dmp

                              Filesize

                              5.0MB