Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 03:33

General

  • Target

    5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

  • Size

    1.5MB

  • MD5

    cac1d4f15ef3ded5035137eb65f76334

  • SHA1

    e8765a89bb9095471a3c267bdfe501729a20d6e3

  • SHA256

    5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235

  • SHA512

    f01c944e01587c14d2a16f88b24e6eb65e9eb6ad354132c426d8df2cdfc203b2817e0e5bc2f4d34abda11c2e8d67ec112972c283690e966f0fae637758def8ad

  • SSDEEP

    24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRP:kzhWhCXQFN+0IEuQgyiVKH

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
    "C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3416
    • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
      "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1096
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a55cf13-9239-40e4-9616-728817d0b0a4.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:616
        • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
          "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5020
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75bd27e0-5442-4959-9706-4947a321dc63.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
              "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1952
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67121733-6b95-4cc8-b531-31c20c9600dd.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2684
                • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:4628
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a112bd9f-7935-4bbd-8b42-0972ec7381a4.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4256
                    • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                      "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4864
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32874317-6337-4fd8-a8be-888e882d34ad.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3208
                        • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                          "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2280
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394cd2ad-1174-4f2c-ad7f-ee29870606f8.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3276
                            • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                              "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                              14⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:1428
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d5051f9-9666-408e-8cef-0e7eeaca75d5.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2088
                                • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                                  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                                  16⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:1068
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94157912-2525-4731-8627-b22fc575edc5.vbs"
                                    17⤵
                                      PID:2744
                                      • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                                        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                                        18⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:548
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4dd790-20b9-46c0-acdf-470a9dc91d8c.vbs"
                                          19⤵
                                            PID:2120
                                            • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                                              "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                                              20⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:4988
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12510e34-886e-4021-b97c-5ffc6498cc93.vbs"
                                                21⤵
                                                  PID:4056
                                                  • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                                                    "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                                                    22⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:2208
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d6ae87a-4c61-407e-9ff8-77ebb14e28cf.vbs"
                                                      23⤵
                                                        PID:4436
                                                        • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                                                          "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                                                          24⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:424
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993d1984-501b-4afc-8d16-4aaa1dfed846.vbs"
                                                            25⤵
                                                              PID:1888
                                                              • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe
                                                                "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"
                                                                26⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:2088
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18f43ac6-9d77-4c2d-a1e4-966c85123454.vbs"
                                                                  27⤵
                                                                    PID:1204
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cc42b0-9534-4f8e-88cb-83fc1ac29ab3.vbs"
                                                                    27⤵
                                                                      PID:2092
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cc4b5f7-d92b-414d-8a14-d84b80f23ac7.vbs"
                                                                  25⤵
                                                                    PID:2476
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c909a5f-33d8-411d-9ad2-e30689949d27.vbs"
                                                                23⤵
                                                                  PID:2420
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5221ebd8-42a8-4d13-8acc-6385d0b0e764.vbs"
                                                              21⤵
                                                                PID:4672
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e9b657-e048-416b-a14e-6d38355b1698.vbs"
                                                            19⤵
                                                              PID:1384
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8ab1052-d995-4271-b8be-4783af2e390e.vbs"
                                                          17⤵
                                                            PID:1984
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a527a541-3738-4e72-aa10-b50ab3b3bd64.vbs"
                                                        15⤵
                                                          PID:2348
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60618a5d-96f0-4a3d-b2fc-5dd76e0bd81c.vbs"
                                                      13⤵
                                                        PID:1176
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23bf3db3-24ce-46a4-82be-318c7fd6d48d.vbs"
                                                    11⤵
                                                      PID:1060
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3101ea53-f79e-42c1-b924-1f5bbd94447c.vbs"
                                                  9⤵
                                                    PID:2052
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f535b84-ff60-4ad4-b9bb-4f7521b9cd67.vbs"
                                                7⤵
                                                  PID:1572
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be022fe8-44ca-4c9c-92d7-8069c3291f2b.vbs"
                                              5⤵
                                                PID:4480
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74d3a9da-3a22-4be7-a1af-9095339e746c.vbs"
                                            3⤵
                                              PID:4024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Documents and Settings\upfc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1504
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\OfficeClickToRun.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4772
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3484
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2360

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          52e48d73865cfb8ee0750ef2dc3cd210

                                          SHA1

                                          238363714a870301797e50269e1bd24ae22b4f01

                                          SHA256

                                          5467550e220512208370c4eb14f71b9c5664a3ebd9f92a71c9f2be814a678073

                                          SHA512

                                          7f25b34e8a14abc62df55b671580f662d97697d461e2991fb8b008b7b81079ebffc0f3741e33b1e7ac73a81c8b22edbdccdbd4bead6d443c358eb947af7d6978

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          baf55b95da4a601229647f25dad12878

                                          SHA1

                                          abc16954ebfd213733c4493fc1910164d825cac8

                                          SHA256

                                          ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                          SHA512

                                          24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          77d622bb1a5b250869a3238b9bc1402b

                                          SHA1

                                          d47f4003c2554b9dfc4c16f22460b331886b191b

                                          SHA256

                                          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                          SHA512

                                          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          2e907f77659a6601fcc408274894da2e

                                          SHA1

                                          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                          SHA256

                                          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                          SHA512

                                          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          cadef9abd087803c630df65264a6c81c

                                          SHA1

                                          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                          SHA256

                                          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                          SHA512

                                          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                        • C:\Users\Admin\AppData\Local\Temp\12510e34-886e-4021-b97c-5ffc6498cc93.vbs

                                          Filesize

                                          766B

                                          MD5

                                          eafc0e0db257e29adf7ebf2b4723d7ec

                                          SHA1

                                          0b1955e673595d5c2621ab07fe7cd7907aea3b28

                                          SHA256

                                          fde9a0d159b199e896d3531ff5d87ca74e543c894dcdcf23b238e13105effd49

                                          SHA512

                                          56baa1156ff5f5a061ee158dfd5c48549e4b4e78dffcff57de22cee4c31c35c552aa04fa403ec66b15cc35c1b7b4f325b89fad52c4d2a327632b3501ebef5cf2

                                        • C:\Users\Admin\AppData\Local\Temp\18f43ac6-9d77-4c2d-a1e4-966c85123454.vbs

                                          Filesize

                                          766B

                                          MD5

                                          eb3518c64dd5b81faff3178e5fe81677

                                          SHA1

                                          d841d1cb0fdcdc3a4f754b2c002317a1453c139c

                                          SHA256

                                          79c93669cccfdfd6146934ca105f2c61f02aa8c40c6ce246f4373eb9a2163366

                                          SHA512

                                          6e2fec5fef06216b917e807d3d49a12bcfc82e8a0fde9ace9488c2325cc96bdfa4379aba42736d0b84049979c05fcc9dffac9122090610cf9ee1db3fd13c6dd1

                                        • C:\Users\Admin\AppData\Local\Temp\1f4dd790-20b9-46c0-acdf-470a9dc91d8c.vbs

                                          Filesize

                                          765B

                                          MD5

                                          2e3c04735e9341b12e799d39c87e23bb

                                          SHA1

                                          9367e2ecf9723bd7fb88baff80868bddf63e38f6

                                          SHA256

                                          961261550c3997bdf626429ab1f8239000cf96fdc3b2b25e4c57f8c2975a6ad2

                                          SHA512

                                          4712d5fd13b7273dff2e02ed225808810bf63c1de780acfbff4ad4293aed14995ff70210c59441af1a72ee5e90b778ebbfbb12b400ab607625d12bbe447deb71

                                        • C:\Users\Admin\AppData\Local\Temp\32874317-6337-4fd8-a8be-888e882d34ad.vbs

                                          Filesize

                                          766B

                                          MD5

                                          704f03761dfcc9297ada058c5b2a3589

                                          SHA1

                                          830ef322d10877a80f0ff684a6297f29e06b1f7d

                                          SHA256

                                          a61e2b4008e4f114e0798a1128970ce80f45c3e9fadb923692843f2f50c7305b

                                          SHA512

                                          e3cd96265a33b4a5e8c486f172d4ab959776b5f59dbfaf81b7a3423d72003b882e59897081086f430333bd57c2010051fc06e06f4258d1414945e80219407472

                                        • C:\Users\Admin\AppData\Local\Temp\394cd2ad-1174-4f2c-ad7f-ee29870606f8.vbs

                                          Filesize

                                          766B

                                          MD5

                                          c8d372ad56b657c4aa64b5902363773b

                                          SHA1

                                          9e653e40f0e83278181019832f5d6e05f03e195d

                                          SHA256

                                          9bfd4b2930ea6a2f4eae97f064ce54312f8b26f7a85507a1ab436d5e1066f1bd

                                          SHA512

                                          2671f5ffb53cf3a9329d0df3dd790969d0aab48775e0185eed4b4ba8bfd62d709d23816368c087a1bf9268158e5f0864d999722eeedd9bda97aa871af13b3a94

                                        • C:\Users\Admin\AppData\Local\Temp\3d5051f9-9666-408e-8cef-0e7eeaca75d5.vbs

                                          Filesize

                                          766B

                                          MD5

                                          8712942f236949c424c29f2788970a3b

                                          SHA1

                                          c49d8010857afe5b81911127fe602857ad8e87f3

                                          SHA256

                                          64e4fe489400a73f2131d8c3dbbc2c03f565c5b14e31d38cf09fe80ac050636e

                                          SHA512

                                          9066c64e9698108cc4be072ba85dbbb95f041eb6c4658cd55faa047efddca8cddd4a512b673a93ff08b680ae5732077644d464d6ce7ccf28a8131e4f9143b5e5

                                        • C:\Users\Admin\AppData\Local\Temp\67121733-6b95-4cc8-b531-31c20c9600dd.vbs

                                          Filesize

                                          766B

                                          MD5

                                          05a5dc5a66a54d5d04d2eb2d7b2f65cb

                                          SHA1

                                          add0cb7cdc9c6fa6071b385d7c026c3ce75c61ee

                                          SHA256

                                          574dc0ababf0c6e535f5a708db5cbfc99d9ca1a0f083b5cbff3282d47ba3f76d

                                          SHA512

                                          88b055b30e01a62c002e7222d2e7b675072d8b683878b52abbf3c12942edb3b7cb410d682ef9372dd078657366cca151868f2949ddd4efb61098e2c91c570588

                                        • C:\Users\Admin\AppData\Local\Temp\6d6ae87a-4c61-407e-9ff8-77ebb14e28cf.vbs

                                          Filesize

                                          766B

                                          MD5

                                          33fac97d6b7d8d3b4204bebcfafa0e65

                                          SHA1

                                          f7aefe0c08263c6ecd861e1899e690a36edaaa3a

                                          SHA256

                                          c80acfb730a840b26f10632859d4aaea4a4f975fe3f09b44f4ab4b0caf62ff58

                                          SHA512

                                          9cc65e7590b82556b19a5ac784a1662c83626564fbbba4d9c42ea7796d6e8d20a0ad9f96e42648cf6f2cdf7005636a403276369e6d1ad552e9dffff5a26b5bbe

                                        • C:\Users\Admin\AppData\Local\Temp\74d3a9da-3a22-4be7-a1af-9095339e746c.vbs

                                          Filesize

                                          542B

                                          MD5

                                          c03d849f0e71ad52da5cafa248e52007

                                          SHA1

                                          653ae8463b7d5a5ed4a6e477015e0f5be4422a0a

                                          SHA256

                                          4fd8d01bb12246fbc7f77ec271e32b23e265ec5699567403da78c00aad9586a0

                                          SHA512

                                          c81ad5c34d5f8e3e58bb7165abd0ca7b5243d60560cb412c8c0e9c0819153e7bc545fdc6957e57fcdab376b6f939a4ee0a14aa2b901f8c4ce7468cb4fbd83cba

                                        • C:\Users\Admin\AppData\Local\Temp\75bd27e0-5442-4959-9706-4947a321dc63.vbs

                                          Filesize

                                          766B

                                          MD5

                                          996b22d5f65a9305b440c066fac68e31

                                          SHA1

                                          4ffcc14b2199873a4be6141fbad28be06c7ffce7

                                          SHA256

                                          950a747f0085f605226add88fa4c081cd8436c57b2d9d0d1c2ede73b53eeead5

                                          SHA512

                                          d2c1a349e45a4e5824b10bb29de9617a0d48cfdac5249025f8a3ed4ec1d1d9bc502f548ed99386b17c5175d2aa0fe6f6079f0df5fe51963a8f62bc9610b9438b

                                        • C:\Users\Admin\AppData\Local\Temp\94157912-2525-4731-8627-b22fc575edc5.vbs

                                          Filesize

                                          766B

                                          MD5

                                          407ece99e6d0e573ac917e1a855490a0

                                          SHA1

                                          21c3f18da7de8ddacbcb186d6060480fcefcd74e

                                          SHA256

                                          fe556ae1eabb62bee8ec243a4b6413cc1c2297ac17494c3ddfd06d5694425cb0

                                          SHA512

                                          20747324107a6af284d0c7c0e498cee813875da2713358ac1f29cafd03774acfb17f91eb8e205cc01e122b9c966df3c38f8114b91fee079d3814fcd0ebf69b39

                                        • C:\Users\Admin\AppData\Local\Temp\993d1984-501b-4afc-8d16-4aaa1dfed846.vbs

                                          Filesize

                                          765B

                                          MD5

                                          0d86b571e4813a7c0b70fe5a1f5b782f

                                          SHA1

                                          b34190d6a1235cbcb06a4757060294045d5533eb

                                          SHA256

                                          80da1302bfb6f1e24b6477a473596c4b7564c7b773b13f463234a51e29e87334

                                          SHA512

                                          20da6c75cc12e766f9c9178de09182437bbf0a5446d7ddc315ca6ee9023d75af1387379a8b83899f0bc62d13e12d06ec465f3086f0198ede2ede88da3e297392

                                        • C:\Users\Admin\AppData\Local\Temp\9a55cf13-9239-40e4-9616-728817d0b0a4.vbs

                                          Filesize

                                          766B

                                          MD5

                                          81b807136f0bc71224f08d7b7ea025a2

                                          SHA1

                                          3460f666ac5f725bfaa0fd6398c7edbdf536588a

                                          SHA256

                                          dbd62ba2ec3e095ac3637a1a579b273f5357c0b33197b35717482fc603dc3eb5

                                          SHA512

                                          bbd166d573afae2592c3e63d583ca21e31626cdde0397ca5394380be51277b83c3f17c9287047a70ff17ba5e08f972ce2f792c000bb225d85526c9f3732a1446

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cauhoyk.gvn.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\a112bd9f-7935-4bbd-8b42-0972ec7381a4.vbs

                                          Filesize

                                          766B

                                          MD5

                                          cdc3aca4686ada90eeef24598b88b37a

                                          SHA1

                                          7fb2bb35678243a7fa0711415954d70544491885

                                          SHA256

                                          052e310603c1da14f62872552d0965d49fbbc5215673701b0672ff04ad7226e9

                                          SHA512

                                          6032a90ccd943086eb6c071c66a8ee6abbf3c8de814e94a727a97c3a04156eee0bc507c8d5d6725b433679948127828536c83ca836b5038d82d935b44dad6490

                                        • C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          cac1d4f15ef3ded5035137eb65f76334

                                          SHA1

                                          e8765a89bb9095471a3c267bdfe501729a20d6e3

                                          SHA256

                                          5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235

                                          SHA512

                                          f01c944e01587c14d2a16f88b24e6eb65e9eb6ad354132c426d8df2cdfc203b2817e0e5bc2f4d34abda11c2e8d67ec112972c283690e966f0fae637758def8ad

                                        • C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          e5a04830de1f447384993c2972e2ab37

                                          SHA1

                                          9b424dafdbb66a6d4de08680cf915466e3e70e5f

                                          SHA256

                                          641f5b40d3b0de6dd2b50d249ac802e20f5e8ceb86f528c6b9fba5ecb2c7004a

                                          SHA512

                                          3129e13dffc723154f94c2b1b2446d411d47713a7e7b316cb46b4b777079e9019b07c7a7adeb5e73150496c92e2dd9208a10c1f9225d082fccea7fecd89f7c78

                                        • memory/388-14-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/388-21-0x000000001B790000-0x000000001B798000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/388-20-0x000000001AF00000-0x000000001AF0C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/388-0-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/388-13-0x000000001AEA0000-0x000000001AEAA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/388-233-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/388-11-0x00000000025A0000-0x00000000025B0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/388-240-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/388-25-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/388-18-0x000000001AEF0000-0x000000001AEF8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/388-17-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/388-16-0x000000001AED0000-0x000000001AED8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/388-15-0x000000001AEC0000-0x000000001AECA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/388-5-0x0000000002550000-0x000000000255C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/388-1-0x0000000000180000-0x00000000002FE000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/388-4-0x0000000002530000-0x0000000002542000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/388-2-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/388-10-0x0000000002590000-0x00000000025A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/388-24-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/388-12-0x00000000025B0000-0x00000000025B8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/388-9-0x0000000002580000-0x000000000258C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/388-8-0x0000000002570000-0x0000000002578000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/388-3-0x0000000000B30000-0x0000000000B38000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/388-7-0x0000000002560000-0x000000000256C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/388-6-0x0000000002540000-0x000000000254A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1068-339-0x0000000002B90000-0x0000000002BA2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1096-241-0x0000000001800000-0x0000000001812000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1096-239-0x0000000000E50000-0x0000000000FCE000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/1428-327-0x000000001B400000-0x000000001B412000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1784-157-0x000001CC00000000-0x000001CC00022000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/2208-373-0x0000000002E00000-0x0000000002E12000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/4864-304-0x0000000001920000-0x0000000001932000-memory.dmp

                                          Filesize

                                          72KB