Overview

overview

10

Static

static

10

25fac6b0d6...a7.exe

windows7-x64

10

25fac6b0d6...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

  • Size

    3.2MB

  • MD5

    8c1a813f52ed5c9f746cc2baea9b421c

  • SHA1

    923f06dd79705fe0957b6efa9b47f8a726e80b08

  • SHA256

    25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

  • SHA512

    b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

  • SSDEEP

    49152:oD+WhPI+P05YhHbpHP1qcdhymFKN/1cCLKtrp8qotx/8jwwpO5:k+WhPIq0iHPEA1W/19LGrBoP9wpO5

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
    "C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\include\win32\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\WMIADAP.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Help\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uYA2TrKB2l.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1928
        • C:\Users\Default User\wininit.exe
          "C:\Users\Default User\wininit.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2980
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f63c65e2-4d6a-4546-a2f8-630e6a82cce0.vbs"
            4⤵
              PID:2396
              • C:\Users\Default User\wininit.exe
                "C:\Users\Default User\wininit.exe"
                5⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:2480
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a423a2db-d17b-4866-bf11-08e7a7e6dd2b.vbs"
              4⤵
                PID:1884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\WMIADAP.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\WMIADAP.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\WMIADAP.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1092
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\es-ES\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\es-ES\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Help\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Help\Help\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Help\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a72" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7" /sc ONLOGON /tr "'C:\MSOCache\All Users\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a72" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2316
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2168
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
          Filesize

          3.2MB

          MD5

          8c1a813f52ed5c9f746cc2baea9b421c

          SHA1

          923f06dd79705fe0957b6efa9b47f8a726e80b08

          SHA256

          25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

          SHA512

          b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

          Download Submit

        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe
          Filesize

          3.2MB

          MD5

          24b7b6ed4396e0fc859574e3b0701d4b

          SHA1

          6e109700c5490ecc35bde179b5188e3e590dbc45

          SHA256

          693ed80074024cf70f509c889cbc55da1018438886f3e987a805e1f741dfc5ab

          SHA512

          e3426d79eb6f4bf5f340e7101482fee0e9b515104e8617a4659323684476c3abee39d2e364e2b62e7d85fc88399944dfd506d9bd5d933368e6c1f1c776eb4c2c

          Download Submit

        • C:\Program Files\Java\jdk1.7.0_80\include\win32\WmiPrvSE.exe
          Filesize

          3.2MB

          MD5

          e9b91173eb2dc48b936007b9134baa87

          SHA1

          79bc74ea40af564013647abbe88177166e51d0c2

          SHA256

          eedcfa97d225d777d2e8d208a1071e30dd28048238310f54341ac6c82beaccba

          SHA512

          dfe7f4dc921fbb45e1b93e3a6f6f621c1ebcfd53aaa1282ef740882b5d6da75df6cc03b8ba97840b4940d7ae36e38286e109bc4c4a136da360684bd5bc77a435

          Download Submit

        • C:\Program Files\Uninstall Information\taskhost.exe
          Filesize

          3.2MB

          MD5

          c52b2fc908c90647bbc018c7513e86c9

          SHA1

          a2036cf71f76d41941f48fedf39ce02206fb0ea5

          SHA256

          23e35b1a6c08fe6f74341f83738151b1402abdc10eef8ec6201a056dc9dcd30c

          SHA512

          46d6b1608f8e046d37970782e27d4d0dea782bfbf77c2fb855250b6c7ec3f3b8ce9ecd56334c814fd820df1af380bbb9c2d7eaf35d417003d536c51a9daa3adc

          Download Submit

        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe
          Filesize

          3.2MB

          MD5

          6d20a4cb99f61f2b8ceabb982211ca55

          SHA1

          fc9cb4c246e64602adfe0aed701dbf4af638c459

          SHA256

          c64c3bef1cb0d0c18dd9ba5e28c08f965b7add33da621c82ddac6e71e1a4ef2a

          SHA512

          ec91d668ea118ba2f11894caf050774ca806234956915a15143b98c4010f0636268d7836c8e2a6060bcd62824c7a688c63bf280cfd0f98d3b9f2d711417cf7ee

          Download Submit

        • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe
          Filesize

          3.2MB

          MD5

          3cec05854d9bed804fca9a4546e24b19

          SHA1

          cfc10c538da84aa03a99d9262f5d94e82dac173f

          SHA256

          3ea753b0e0255b4d6e03a319d23f04b532611ecfb8f2990ad93fe6546cbe2366

          SHA512

          5b97ea2f5c681cec1696ebacb48037a544779820b6d44c5765626f10648d936c4c5f1e06eaec86616e8ae81b8e9c625bd71e16646fdedace3aea310ef4fccc51

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\a423a2db-d17b-4866-bf11-08e7a7e6dd2b.vbs
          Filesize

          485B

          MD5

          71f1a81583e681d710a63f1dd7b60a1d

          SHA1

          997d112911a9b8268d6f394474cc67a052100a11

          SHA256

          ca429d455c6a38be029fe3ed1ff5ec8490736c9bffbb35764a45a2c7039d76fb

          SHA512

          5d249b6cbd910224f36e3d504ed72ec5a4150a506c1c7ab1faeb290159998147a95cf68930ca9bfe4b3d431f3bbfdd9248f9b4a1252df43c4e6b0836012d68f7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\f63c65e2-4d6a-4546-a2f8-630e6a82cce0.vbs
          Filesize

          709B

          MD5

          31216a867bf14a0a55db8312cadbd737

          SHA1

          f28284b1b54b3745a1774b4290d2678be9ba56fb

          SHA256

          ad992e08d89356d7ca266c8017ce330ebfe094307b2b24264d896f6e63390713

          SHA512

          f1fd372b3a94dd783e16276bf27e28759143407157c19b6f95b29009772a8627439b54b72e8eed1f4fdd90242996c7dd7b0b0810763ae8d2314e5d3463b8e04c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\uYA2TrKB2l.bat
          Filesize

          198B

          MD5

          2c83fbb1e4d2693b85ced8bff6f4453e

          SHA1

          c1bb6444cbf3684dbdf02c5fb683f763ab761abe

          SHA256

          64a3cc45db6d5ef327cee1f01ec23515d9e252bee020c8dc2b38332170af5bb1

          SHA512

          db5ca928a504479ec0c2c08451c86f8c9eef76f7b5d9b275c84bfb72ab4359f10a21427538eac62873a120684962255c6dcd82f0d68b79cce2851f858e68c9bb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          6af67f026a36813fb467557b4d8e19df

          SHA1

          3ebf53f334d6b8614c9c0f688a177e4946ed517f

          SHA256

          010c6ffa861abbbfb93868e46be6f9485aaab03d3349f3ba6457ab5cf965cfe8

          SHA512

          e08676692ee0b7d01dd7aedbfab5a24814682f4dc0dceb01217cf1c6cce6b93da337fe14d7e3a5021ae24eb3d691dfc893f32c0b8cb16c3279e2b5d70fd58bfe

          Download Submit

        • C:\Users\Default\wininit.exe
          Filesize

          3.2MB

          MD5

          e8b66dd0f4aa191ee081bcf976e9fecd

          SHA1

          5cce39747b301475aff651392d9571c9ee6059c5

          SHA256

          d72c4f5f0d0e9a4e26b25ffd6f2cac0f2021a6fbd77e3f4e44ef2a1846e8c630

          SHA512

          725c24d9c405f32f2701c353f4a399bb3e9d0af15af7e7626c8aa85ca4d97094cf08613bc41a3070e155222718d66fd89657981ef65d1a19c158170394c7c06b

          Download Submit

        • C:\Windows\tracing\taskhost.exe
          Filesize

          3.2MB

          MD5

          bc7eb219910acc2682d70f5e22ceee73

          SHA1

          1b7882490544a155835522bb74c75f402315f169

          SHA256

          95af289f720c0d0fbefe744118acebe2087b6a3aa6a29915fbe33fb245661008

          SHA512

          f33c79214ad87bd3c8bfa53e41e421a7cf5b412ff85a34aabd2cb81d5257e59123d5fd06518b43098a4b9e75870a4527c82ac8b670e659b427a4e2bd4ac90074

          Download Submit

        • memory/112-296-0x000000001B780000-0x000000001BA62000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1716-22-0x000000001AB80000-0x000000001AB8C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-29-0x000000001ABF0000-0x000000001ABF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-10-0x00000000024B0000-0x00000000024C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1716-11-0x00000000024A0000-0x00000000024AA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1716-12-0x00000000024C0000-0x0000000002516000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1716-14-0x0000000002520000-0x000000000252C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-13-0x0000000002510000-0x0000000002518000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-15-0x0000000002570000-0x0000000002578000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-17-0x000000001AB10000-0x000000001AB22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1716-18-0x000000001AB40000-0x000000001AB4C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-19-0x000000001AB50000-0x000000001AB5C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-20-0x000000001AB60000-0x000000001AB68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-21-0x000000001AB70000-0x000000001AB7C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-8-0x0000000002280000-0x0000000002288000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-23-0x000000001ABA0000-0x000000001ABA8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-24-0x000000001AB90000-0x000000001AB9C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-26-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1716-25-0x000000001ABB0000-0x000000001ABBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1716-28-0x000000001ABE0000-0x000000001ABEE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1716-27-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-30-0x000000001AC00000-0x000000001AC0C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-9-0x0000000002490000-0x0000000002498000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-31-0x000000001AC10000-0x000000001AC18000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-32-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1716-34-0x000000001B000000-0x000000001B00C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1716-33-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1716-201-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1716-225-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1716-7-0x0000000002260000-0x0000000002276000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1716-249-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1716-6-0x00000000005D0000-0x00000000005E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1716-276-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1716-5-0x00000000005B0000-0x00000000005B8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1716-4-0x0000000000590000-0x00000000005AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1716-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1716-3-0x0000000000580000-0x000000000058E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1716-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1716-1-0x00000000001F0000-0x0000000000524000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2136-302-0x0000000001D20000-0x0000000001D28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2480-379-0x0000000000390000-0x00000000006C4000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2980-368-0x0000000001090000-0x00000000013C4000-memory.dmp

          Filesize

          3.2MB

          Download