Overview

overview

10

Static

static

10

7fb943a550...fd.exe

windows7-x64

10

7fb943a550...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fb943a550881e7c59acdbba1164cbfd.exe

  • Size

    2.2MB

  • MD5

    7fb943a550881e7c59acdbba1164cbfd

  • SHA1

    ed5bb95d080cbcc5fafaaa0949fdcdfaece4dabe

  • SHA256

    f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510

  • SHA512

    a4b7e40e07f1d5b24fd2bec828c433d984087ee22478f11da9a2ab4bfb42c3c4609e3d24ba19e8fd0239bfffa532c6e4526d6ff9eb7e3a3d1788cb3e5f6e66fc

  • SSDEEP

    49152:K31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:KltZUE6NDyTo9lv2F+VvK6

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
    persistence
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 60 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fb943a550881e7c59acdbba1164cbfd.exe
    "C:\Users\Admin\AppData\Local\Temp\7fb943a550881e7c59acdbba1164cbfd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2644
    • C:\Recovery\WindowsRE\RuntimeBroker.exe
      "C:\Recovery\WindowsRE\RuntimeBroker.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5044
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9218180e-99a2-40a3-b0aa-88fb82425f34.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Recovery\WindowsRE\RuntimeBroker.exe
          C:\Recovery\WindowsRE\RuntimeBroker.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1396
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a4b364-b641-4f84-b3ca-7c82eebbc16c.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5032
            • C:\Recovery\WindowsRE\RuntimeBroker.exe
              C:\Recovery\WindowsRE\RuntimeBroker.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4392
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87f676c6-c76b-41a2-9772-881db7b6a656.vbs"
                7⤵
                  PID:688
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3595075-3007-401f-8287-1df600b2b793.vbs"
                  7⤵
                    PID:3608
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e22f74d-b32a-4bf4-8ba3-85f47d75e8af.vbs"
                5⤵
                  PID:4848
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\364130bb-c2fe-4ef4-96ab-21f8632118a6.vbs"
              3⤵
                PID:1152
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:376
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4420
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\SppExtComObj.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Tasks\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4828
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4668
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1240
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3088
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3428
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1880
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3312
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\unsecapp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3156
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2004
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Videos\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:828
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Videos\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1328
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2152

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe
            Filesize

            2.2MB

            MD5

            d93111d491e1f415d0f69b11a68fd437

            SHA1

            6a2f053beb4efc2c662a370806f4bea5a30002cf

            SHA256

            818b2fb80964caa2077611c47bb27833ab0d61f959cdca3c411cbcf7e32028a5

            SHA512

            f15d17ef60bdf551f73a25aabacc23f41cde6755b038fe66441317f79cdb38c5c74b0cb521320040819da3e40ca5417398eced6493c769bc07213a50d7847f8e

            Download Submit

          • C:\Program Files (x86)\Windows Sidebar\SearchApp.exe
            Filesize

            2.2MB

            MD5

            5a60cbd86e97fae9172673e41555ae42

            SHA1

            eeedfbd1fe7f5f843949063beef5c4a6325fba2c

            SHA256

            4108ec710c360aacc56f872687d95c120e78b07256ba485ae4568ab19869fce5

            SHA512

            781a7f7a4a3453efafac52b3cf8e3a675c99c517c9713ee4a099da09d7bb2c939be61af2d33d54cd86f5bebbb50a1bf925459846f38efe3f523a81b7a0dfffe4

            Download Submit

          • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe
            Filesize

            2.2MB

            MD5

            998b541922a47d1409a130d016f458e2

            SHA1

            4c50cf192050071b30448f95db6fa4adff14f092

            SHA256

            ed867fbc7307100fb9010cf5bf73635d1b09e14d9d4728192d79ddcd4811defa

            SHA512

            1e2433a7e6bf9751877f53fc59997d264e58c802456f84042804de12ec27c254e53c41d8658a9fefe452e0c959a0138284856829fcb80ab34b03e5d7c1c1daea

            Download Submit

          • C:\Program Files\Mozilla Firefox\defaults\pref\services.exe
            Filesize

            2.2MB

            MD5

            dd5052e7fc392b346e4b7b7a60a43774

            SHA1

            2e66cd6b71664e91c557bfd8ba6ce4a7884f2868

            SHA256

            9e0214554e1c09869f0db630682ce26bf5803ecc37d7e51c070507bb04ed16be

            SHA512

            2f4af7dca0e14b6858de6d10aa8ed344363fb5e2e9bcbe2fff2cbede3374f2fa672dedbcbbca078eae1bae319c6e204951c8cd98ecf73ce4d33c3d341d5580b0

            Download Submit

          • C:\Program Files\Uninstall Information\SppExtComObj.exe
            Filesize

            2.2MB

            MD5

            7fb943a550881e7c59acdbba1164cbfd

            SHA1

            ed5bb95d080cbcc5fafaaa0949fdcdfaece4dabe

            SHA256

            f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510

            SHA512

            a4b7e40e07f1d5b24fd2bec828c433d984087ee22478f11da9a2ab4bfb42c3c4609e3d24ba19e8fd0239bfffa532c6e4526d6ff9eb7e3a3d1788cb3e5f6e66fc

            Download Submit

          • C:\Program Files\Uninstall Information\SppExtComObj.exe
            Filesize

            2.2MB

            MD5

            752671abb299fd3fe07a165ac4c76417

            SHA1

            f427292ee30983142087f9af0d1b3f7a29e40377

            SHA256

            c2df4703dcc05e8fead53b280dc79cdfa28acb45df57a46ded668ed5f3fe2819

            SHA512

            e3ba95db0d5b0ad870f8baaf7e6592e5ccdf1fe3276f1be3901da493b5f06039f2d905c0f81c9cfb6c00bfe362fc66dc18fbf9923ba78cd69daa65cd4318e16d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
            Filesize

            1KB

            MD5

            49b64127208271d8f797256057d0b006

            SHA1

            b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

            SHA256

            2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

            SHA512

            f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\24a4b364-b641-4f84-b3ca-7c82eebbc16c.vbs
            Filesize

            715B

            MD5

            10e7de048f7c9cc57a206c640280e7bd

            SHA1

            4fc72cc4da376cd1474ca68eb39a8e3502d1c185

            SHA256

            c5c3e86a45099a3dbe4afbabb8fd1f0475c29887812e9763aa6e19f86015cbcf

            SHA512

            b4203d1c1a5ac6a0a69bdb09eb1498b36079cbc90deba2b6aaa288bfb322ef64b52da0cab43d7dddd0adbe5ff3fba6806cfee5285046b15b1888929009373ffd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\364130bb-c2fe-4ef4-96ab-21f8632118a6.vbs
            Filesize

            491B

            MD5

            3604a6919a330647c7ea7bf5b459fa00

            SHA1

            0c02dccf6fc25bb64882b27fea6e01405f9e823b

            SHA256

            568f1366d8ff3a6798e9c37855c59be20a3abd84464480fdcb6597c1bbd11720

            SHA512

            3340d04ebe26c7df4d7eac28a2663ba64948fe1f7371c8c94791eabd5427406ee6554273484a5d1189a741f301eeb5f68db9174d017d48a05d57b11440b8772c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\87f676c6-c76b-41a2-9772-881db7b6a656.vbs
            Filesize

            715B

            MD5

            d1d92265a80da04fb6c46f8ee6530777

            SHA1

            9eeb4d1753aacb5e54556707eb6b750e76adc6fd

            SHA256

            5b55208faf9e924cb9542c311e1c28056b40f3a2566488396816238f8f5a3bea

            SHA512

            ec52ae6c5e5d2dd693d46fe78b3dddf4e0fdc8d50d1cfadf052bd449753e843f0179287822bc78fdf3f5cc28138fed6111042e8be2ee7f08a293ae295b30cde3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9218180e-99a2-40a3-b0aa-88fb82425f34.vbs
            Filesize

            715B

            MD5

            ddd58f3f700fe80498dc1e6362c25764

            SHA1

            e319720e5719f9e93a580c4c121467d5010dd298

            SHA256

            5678d02a223cc2150f8b004f1b67d6f3cb6f18a8171a77dcaef7f754ff79d71b

            SHA512

            9bab393b6d746dd7369fde9caceeae8705bb4a14616878ecb462decf31148de755f00d4ecfed2e42b6d4b80e281cf3e867b0a9ee9b3e2b80b764cc362e5cd2ad

            Download Submit

          • C:\Users\Default\Videos\Idle.exe
            Filesize

            2.2MB

            MD5

            0988b2923e900785854ce10efd41d01a

            SHA1

            a5f11f5df28ca9be74cde076c9f425e8e3d5f0de

            SHA256

            cb43d47b7328145995cd873ebb056adb6a55bf0174db6760a8e1e056c05a348e

            SHA512

            317b6128e20217cc64d3ed8f9ffbf026e217d6dba4ee129b34e387f9a4d16d88ef4902d4c74080d7d354884fc4dc3193f178ea6cc1477aad12368b15dbec9917

            Download Submit

          • C:\Windows\L2Schemas\wininit.exe
            Filesize

            2.2MB

            MD5

            5c9d6e05971ff3acb4a6e5744cfa618e

            SHA1

            2bbd5debecb7de49fa9a724f194382a89122507c

            SHA256

            42d49cfe99cebdcc6fc6168da7bf5fd9bbe4c3fe29a2a44f0224c8c77925b3fe

            SHA512

            f35963e12a1c6f37f79ba6ad29a4f7eb1cdee1be95704f432ba905cb67723c8e36f15cb2e2b4fa8b717a0d0b232323b0ee3e70c7942055951876b9dfdda196c1

            Download Submit

          • memory/2644-27-0x000000001C6A0000-0x000000001C6AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2644-30-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-15-0x000000001C390000-0x000000001C398000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2644-16-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-17-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2644-19-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2644-20-0x000000001C980000-0x000000001CEA8000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2644-21-0x000000001C3D0000-0x000000001C3DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-22-0x000000001C450000-0x000000001C45C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-23-0x000000001C460000-0x000000001C46C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-28-0x000000001C6F0000-0x000000001C6FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-0-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2644-26-0x000000001C590000-0x000000001C598000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2644-25-0x000000001C580000-0x000000001C58E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2644-24-0x000000001C570000-0x000000001C57A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2644-29-0x000000001C700000-0x000000001C708000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2644-31-0x000000001C810000-0x000000001C81C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-14-0x000000001BE60000-0x000000001BE6C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-34-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-13-0x000000001BE50000-0x000000001BE5A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2644-12-0x000000001BE70000-0x000000001BE80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2644-11-0x000000001BD30000-0x000000001BD38000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2644-172-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2644-196-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-5-0x00000000032E0000-0x00000000032FC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2644-208-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-6-0x000000001C3E0000-0x000000001C430000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2644-9-0x000000001BD10000-0x000000001BD26000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2644-10-0x0000000003320000-0x000000000332C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2644-7-0x0000000003300000-0x0000000003308000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2644-348-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-8-0x0000000003310000-0x0000000003320000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2644-4-0x00000000032D0000-0x00000000032DE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2644-3-0x00000000032C0000-0x00000000032CE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2644-2-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-1-0x0000000000E80000-0x00000000010AE000-memory.dmp

            Filesize

            2.2MB

            Download