Analysis

  • max time kernel
    117s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 16:34

General

  • Target

    3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe

  • Size

    4.9MB

  • MD5

    2c3bf56a91d29eceee2078a85b738cc0

  • SHA1

    78ea0f96e4f560bb3cdb9cdcd157adb773c3d7fa

  • SHA256

    3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bd

  • SHA512

    9507ce6faec5c17d1078db95220e8dce8a5d055fc5cb574c09a8a54d8b08b6475db1641a9f8fb13170c2a02ca2b10f6d31b4f902603efff7eeb6df962d0efb21

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
    "C:\Users\Admin\AppData\Local\Temp\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
      "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2108
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dc19a54-e170-41cd-af18-e58f37c2493a.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
          "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1728
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e9a89a-c134-4a4d-9d50-33a620f02fe8.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
              "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2716
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e51ff174-b140-4812-8d46-25a277863e62.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1536
                • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
                  "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:880
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ce0f681-5e4e-48ee-b501-355546bd5a7d.vbs"
                    9⤵
                      PID:2908
                      • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
                        "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2028
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adf12a93-cdc9-4de9-b2f8-020fd3ea7efb.vbs"
                          11⤵
                            PID:1100
                            • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
                              "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1012
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b591c2b-f427-4198-9b8c-323b3c8b24c2.vbs"
                                13⤵
                                  PID:820
                                  • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
                                    "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2424
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ed01fe3-2324-4b3f-b2e9-f9433806a017.vbs"
                                      15⤵
                                        PID:1060
                                        • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
                                          "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2880
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76274a68-650a-4a83-b835-9118ad825831.vbs"
                                            17⤵
                                              PID:2796
                                              • C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
                                                "C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1612
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24eedc64-03f8-4d69-96ee-e0276b4f9069.vbs"
                                                  19⤵
                                                    PID:2784
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b88ed8d0-5d93-4cb9-a98f-13d1e58e853b.vbs"
                                                    19⤵
                                                      PID:1048
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc6554c7-ea19-4088-bd6b-c0ed0d9e535e.vbs"
                                                  17⤵
                                                    PID:1740
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07fada1-aabf-44c6-9962-e7c96664cb7d.vbs"
                                                15⤵
                                                  PID:1652
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b261055-c5dc-4c1a-a560-1a1afe362bc2.vbs"
                                              13⤵
                                                PID:2204
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ec4721-34c4-41b1-9d32-39b51323ec9e.vbs"
                                            11⤵
                                              PID:2432
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7c7293-f091-4ab9-881f-8a465333b1e1.vbs"
                                          9⤵
                                            PID:920
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c770147-7970-4293-8f21-ebfc03c946d4.vbs"
                                        7⤵
                                          PID:3028
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60fc3f86-5976-43cb-b3b2-83c86a05669b.vbs"
                                      5⤵
                                        PID:1332
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a64eac9e-74f7-4435-962a-270dc846052e.vbs"
                                    3⤵
                                      PID:1748
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2212
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2456
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:264
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:880
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:592
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1656
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:840
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2060
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2152
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2084
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2992
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3056
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2932
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2520
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2880
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\audiodg.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2824
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Links\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2716
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2232
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\audiodg.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2588
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Temp\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2448
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1508
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Updater6\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1260
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1404
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1600
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1772
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2468
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1940
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\it-IT\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3028
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2960
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2120
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3000
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1436
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2472
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:996
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1096
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1200
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2028
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2372
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1632

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\1b591c2b-f427-4198-9b8c-323b3c8b24c2.vbs

                                  Filesize

                                  803B

                                  MD5

                                  3744cd0ad326b72f10f5df9db84a917d

                                  SHA1

                                  f7197ad6842d73fe2b948035f3f9c9f163bb65d3

                                  SHA256

                                  facaeb08f5797cd35aead037c201316a879489212d87f164898f1f7f897a5444

                                  SHA512

                                  a3ca2747175f1f94305581966dc13bbce35661077649b3e350d247d65351b21f215b2c7d98c18c981b376b2b64ef29a8fcb589c4a27859e8f2466d6e45e0eef2

                                • C:\Users\Admin\AppData\Local\Temp\24eedc64-03f8-4d69-96ee-e0276b4f9069.vbs

                                  Filesize

                                  803B

                                  MD5

                                  2880e24eb016fdd3cdaf241ecb8e40ab

                                  SHA1

                                  d95ea6eb8291ab8a96a78feeffe551142f2ded7b

                                  SHA256

                                  fb44877428e891a6a64745457abd089525025af87d33d2e5d92eedccf69c3f89

                                  SHA512

                                  4335780f40aef02551e508802b606a73af5432276081e82c76bfa9559b94de1aa354efb59a42bea942e683f8133c13a5882b7f01f27193d7b611517ab54c1652

                                • C:\Users\Admin\AppData\Local\Temp\3dc19a54-e170-41cd-af18-e58f37c2493a.vbs

                                  Filesize

                                  803B

                                  MD5

                                  043cdcf88a3a8eda558bc05517617f4a

                                  SHA1

                                  871014e325fe0f91893535a549a1e470df1644d9

                                  SHA256

                                  25c01e2b484b83b814d380ed162339bca4add23ef6c53adcbd9d13ed594f4ce6

                                  SHA512

                                  0fe2e56f0327613b8bf5e284c9b70fe9861b647f163fed13e8cc91510e3a7c8887ed395f9121dc018061c02398df8d0c4783e00f99da5d41e044732f26602d9b

                                • C:\Users\Admin\AppData\Local\Temp\6ed01fe3-2324-4b3f-b2e9-f9433806a017.vbs

                                  Filesize

                                  803B

                                  MD5

                                  c1667eb8c9e7dc37176229f895a3786a

                                  SHA1

                                  4c695db2e97fff33c03f2313a48e7fbd250c899b

                                  SHA256

                                  c638c4e5ef9a59b4b8024a58b17b18c856e78207de4e9aaf4e0b14ed728653ff

                                  SHA512

                                  73a54b53b4f573c7bae03fe5f7dd3ef695a88e5f65208611e31ecf86ecf913177d165570b1fd1394855a7a3d33944ccec64bb95836d689f5c82a3856839efda5

                                • C:\Users\Admin\AppData\Local\Temp\76274a68-650a-4a83-b835-9118ad825831.vbs

                                  Filesize

                                  803B

                                  MD5

                                  6d9397d2e863d27c6b1e7028670cb861

                                  SHA1

                                  741e43689dfaedb71ac1e3de9161384a991f7fdc

                                  SHA256

                                  8546080628f91cd6e6bb3d4e8b2d698db8bc540ad3e8d3a2e3a447ff74972d3d

                                  SHA512

                                  2bfec4ce272e2075507d0ee155db335a320c6e37ee8e4ebd0fcc5d8e0abf4f2a75ae605ad063e0398966099829cc46ceb6a3d9626f32aa07f26ad2786a7af560

                                • C:\Users\Admin\AppData\Local\Temp\8ce0f681-5e4e-48ee-b501-355546bd5a7d.vbs

                                  Filesize

                                  802B

                                  MD5

                                  e9173af7293ed7bc614a6d8fc71e721a

                                  SHA1

                                  9ccb8033f122641f23dfad046fe73eea56f8cc56

                                  SHA256

                                  6c84881c5d3ea478898148c7968cb82beac0b34b00df4e75956ad6f3db66d5d7

                                  SHA512

                                  ec5cd6b59796dd70cd85e1cece08adf27c324dafa613ed1cf3d09f973e96c80d0625560f07432ce25ff1e8b9a011e9e2a1162d1ab528121a85e50e9985b66da1

                                • C:\Users\Admin\AppData\Local\Temp\a64eac9e-74f7-4435-962a-270dc846052e.vbs

                                  Filesize

                                  579B

                                  MD5

                                  bf483354328bc8f10af90a6ed25f2904

                                  SHA1

                                  26630628a70ccbea66242fdfdbde692ed5382084

                                  SHA256

                                  e4fe06b53b5a3074a7089cfff58c546269512b4e21635a38619ea9179ea58173

                                  SHA512

                                  5f9546e6475cdf2dc1f0aff7a5404d29acdf473a5eadc4be3735b93317d01bd37ef34a0dde78df51825d1bbc7cc69c424ed1c65f39cb28873fcee12006c31dad

                                • C:\Users\Admin\AppData\Local\Temp\adf12a93-cdc9-4de9-b2f8-020fd3ea7efb.vbs

                                  Filesize

                                  803B

                                  MD5

                                  cbab435c643510372b35001a5b2e25ff

                                  SHA1

                                  c406d50c4581f88f443adff3ce8ce8c04ad1587a

                                  SHA256

                                  23857b7edd597d1d9574db36af2d3f2337349f07907df0ae74374630f4dd1bf2

                                  SHA512

                                  8b39cfc10d064017d9e6443c243382512175b1c42fc0f251337be5c69bb8f098dd20d0272ad76c6c2872178a3a6f61302c9ee2d313099ccd653dfc1e224bea84

                                • C:\Users\Admin\AppData\Local\Temp\e51ff174-b140-4812-8d46-25a277863e62.vbs

                                  Filesize

                                  803B

                                  MD5

                                  824f1c7b6bdfd67a2fe28c3ad04cc8d0

                                  SHA1

                                  06b167716e23ca8db5f72c0ea6e62ac022e16d2d

                                  SHA256

                                  77954776061d6189131fb584466f48f27ad96e0af6cbdf1a01de11805425a5f4

                                  SHA512

                                  37867bd7b295aa806930bd6aea6880cb6b4d2d578cc90647943dc9ae67da10f2f1b63f4c75877e5769e941d98c4cc06aa7e55017aaf367e9b39280b89e6bd317

                                • C:\Users\Admin\AppData\Local\Temp\e5e9a89a-c134-4a4d-9d50-33a620f02fe8.vbs

                                  Filesize

                                  803B

                                  MD5

                                  775bea434bc836cc2b8e62a6685b1ba2

                                  SHA1

                                  ee0e87a7745125c919b7a66751dc3bf83b4276e6

                                  SHA256

                                  d5682ab3fa337198a731fed8261868a396904e82b4dee8573c06d0b1c4305ca9

                                  SHA512

                                  8508715c93a4e856658cceccd2cb6582f2bcb360827e4edc80c4657b67751204124b9c011638c447842c4b32745ad7a6a48f413482435e36188ea84d5a803fa3

                                • C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp.exe

                                  Filesize

                                  75KB

                                  MD5

                                  e0a68b98992c1699876f818a22b5b907

                                  SHA1

                                  d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                  SHA256

                                  2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                  SHA512

                                  856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  85dd857d997e1b030040a092cdb40842

                                  SHA1

                                  5e494c1c9ee9e556c395b25bd388b329f4886852

                                  SHA256

                                  9867e0c65452f47fd3d9d1d59d1a66cbf71ec193c9fb50a4ee2b24ea3034e059

                                  SHA512

                                  e9c72902307088aadb942fd697cafb453edd5aeede2f247e20bb97a43c3552f594b8c795099d1265b6079fdaf86a62b19f7795bd5f1174d49f09e78c7ec4a4b6

                                • C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe

                                  Filesize

                                  4.9MB

                                  MD5

                                  2c3bf56a91d29eceee2078a85b738cc0

                                  SHA1

                                  78ea0f96e4f560bb3cdb9cdcd157adb773c3d7fa

                                  SHA256

                                  3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bd

                                  SHA512

                                  9507ce6faec5c17d1078db95220e8dce8a5d055fc5cb574c09a8a54d8b08b6475db1641a9f8fb13170c2a02ca2b10f6d31b4f902603efff7eeb6df962d0efb21

                                • memory/1012-282-0x0000000000E40000-0x0000000001334000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/1012-283-0x0000000000520000-0x0000000000532000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/1172-168-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/1172-169-0x0000000002290000-0x0000000002298000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1612-328-0x00000000001B0000-0x00000000006A4000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/1728-223-0x0000000000420000-0x0000000000432000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2028-267-0x0000000000050000-0x0000000000544000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/2108-209-0x0000000000950000-0x0000000000962000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2108-160-0x0000000000A00000-0x0000000000EF4000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/2424-298-0x00000000000D0000-0x00000000005C4000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/2716-238-0x0000000001190000-0x0000000001684000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/2728-151-0x000000001B550000-0x000000001B832000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2728-152-0x00000000028A0000-0x00000000028A8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2748-11-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2748-10-0x0000000001230000-0x0000000001242000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2748-136-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2748-16-0x000000001AC10000-0x000000001AC1C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2748-15-0x000000001AC00000-0x000000001AC08000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2748-14-0x000000001ABF0000-0x000000001ABF8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2748-13-0x000000001ABE0000-0x000000001ABEE000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/2748-12-0x000000001ABD0000-0x000000001ABDE000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/2748-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2748-157-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2748-9-0x0000000001220000-0x000000000122A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2748-8-0x0000000001210000-0x0000000001220000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2748-7-0x00000000011F0000-0x0000000001206000-memory.dmp

                                  Filesize

                                  88KB

                                • memory/2748-6-0x00000000011E0000-0x00000000011F0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2748-5-0x0000000000D30000-0x0000000000D38000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2748-4-0x00000000011C0000-0x00000000011DC000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/2748-1-0x00000000012C0000-0x00000000017B4000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/2748-3-0x000000001BA60000-0x000000001BB8E000-memory.dmp

                                  Filesize

                                  1.2MB

                                • memory/2748-2-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2880-313-0x00000000013B0000-0x00000000018A4000-memory.dmp

                                  Filesize

                                  5.0MB