Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

5adfa270bb...64.exe

windows7-x64

10

5adfa270bb...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2025, 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe

  • Size

    1.7MB

  • MD5

    c50c35e409f7f805813e4ce6f1cc9d79

  • SHA1

    57e8abebac7257fb14fb22ef794a3204540ef623

  • SHA256

    5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164

  • SHA512

    6aeeeaa5b491f3221db6b7afca69416ac46658d61c72e478c1ad817068e5ddb4617632b41c0aacf2b3d889300c56c0b762343fe6a4c1df668d5760d144a4bfdf

  • SSDEEP

    49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvT:uTHUxUoh1IF9gl2K

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
    "C:\Users\Admin\AppData\Local\Temp\5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:968
    • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
      "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61d4766-7248-4c8a-a282-64250a2c67e8.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
          "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\718b38df-8191-4b47-a517-c6a1ef8cf988.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1404
            • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
              "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1036
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32a842b2-9b15-4935-80c3-07f8320803de.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2344
                • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
                  "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1916
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf5133a6-8579-441f-8191-55dc506815e0.vbs"
                    9⤵
                      PID:2996
                      • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
                        "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2704
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98170968-d09b-4bfe-8036-3d30ba120346.vbs"
                          11⤵
                            PID:2860
                            • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
                              "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
                              12⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2256
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ffb8496-bf55-4eb0-ac89-64b0d1f9c51d.vbs"
                                13⤵
                                  PID:1892
                                  • C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe
                                    "C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe"
                                    14⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2224
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dadc179f-69ca-40e9-b7a4-489686e5d3e6.vbs"
                                      15⤵
                                        PID:1156
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a1ce966-1bce-4d69-ba5b-22954f7814f4.vbs"
                                        15⤵
                                          PID:2896
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25f283fa-97f8-4c88-a146-79cf7932333b.vbs"
                                      13⤵
                                        PID:2820
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8decfebd-fa45-446f-801e-9682bfccdc85.vbs"
                                    11⤵
                                      PID:2688
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d91bd46c-a886-4645-a21f-eeef9a97c34b.vbs"
                                  9⤵
                                    PID:1760
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af7a08d3-4b8f-4d54-bd92-cfd49b72c908.vbs"
                                7⤵
                                  PID:2876
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb4fbf0-6774-4abd-8277-d0ec58668950.vbs"
                              5⤵
                                PID:1708
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee2e871-fc00-4749-9f54-10eb9d5de7ed.vbs"
                            3⤵
                              PID:1976
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2552
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2588
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2632
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\taskhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2156
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3048
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:736
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1712
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:444
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2536
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\IMEJP10\System.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2164
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP10\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1656
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\IMEJP10\System.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2256
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2860
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2204
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1696
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\plugins\lua\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2892
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\lua\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:672
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\lua\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3012
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2268
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1788
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2080
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2464
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1136
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:532
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2372
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2160
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2352
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1968
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2296
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1936
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1880
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2376
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:596
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:888
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1680
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2116
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:860
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1736
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1516
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1684
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3020
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1536
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2992
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1464
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2520
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2532
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1760

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\Uninstall Information\lsass.exe
                          Filesize

                          1.7MB

                          MD5

                          96dd1c5b0d2d27f26d6783ac31fe963f

                          SHA1

                          de50104f89d278cf881f93b198f9d81288fec182

                          SHA256

                          2c5421d676fcfba8c4a453fa733a5a6d5feea5462379ec16c39e700f186c1773

                          SHA512

                          5b8d9fad7fc2651c21f2ed0cbd4f68ef87f96fa62ef3839bb9f857499153953f5cd535b957f57c38acee622bf3ce132e4f32285b2a010a2d45634ad9cb89c1da

                          Download Submit

                        • C:\Program Files\VideoLAN\VLC\plugins\lua\csrss.exe
                          Filesize

                          1.7MB

                          MD5

                          341c1bc343c0aacb4ea14079b3fece65

                          SHA1

                          363a5106a99de3626c6329de7873316e4ca481cf

                          SHA256

                          f24a774409a8234b8e1b4ef9c8cf98e6dfbd484a91ff1694bff40070db22873e

                          SHA512

                          7278ad0bdda8beefc253fd9e7367a0670c0b6e013608b8b5a1d911a31e87574fbc808e614e152de5aeaf46668c54a0b787aef21e1da5fa5c770b59b88a1215cb

                          Download Submit

                        • C:\Program Files\Windows Journal\csrss.exe
                          Filesize

                          1.7MB

                          MD5

                          c50c35e409f7f805813e4ce6f1cc9d79

                          SHA1

                          57e8abebac7257fb14fb22ef794a3204540ef623

                          SHA256

                          5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164

                          SHA512

                          6aeeeaa5b491f3221db6b7afca69416ac46658d61c72e478c1ad817068e5ddb4617632b41c0aacf2b3d889300c56c0b762343fe6a4c1df668d5760d144a4bfdf

                          Download Submit

                        • C:\ProgramData\Microsoft\Windows\Templates\audiodg.exe
                          Filesize

                          1.7MB

                          MD5

                          a7cdab2983db368a8ccd9b850e9027c9

                          SHA1

                          89500c17300be6dddf5cd3afc7a6c559950705cd

                          SHA256

                          ea7859e38db34a8d4c95fc6c220abf033f8651bccb4b7413e0ef2d6abef63f30

                          SHA512

                          20978b667073f2378c0d6de6ea26768937331fc44be85a8e12a297164d8f9656796cdff923c483125f9ea355379784d576fa3663933c982ca67d7021f9906bac

                          Download Submit

                        • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe
                          Filesize

                          1.7MB

                          MD5

                          f0ff196738b697c04a3076b0e0bf800d

                          SHA1

                          a0d1e7a98a384112b46b4e3f6b8fc36e5aac0252

                          SHA256

                          5b88872dc12f2fa702881278de929b52d062e37a6fbabcf36ccbcb70ee1aac7e

                          SHA512

                          90f7523d2f8d0f9e054804a0c3ef09813fc89f4aa84de7e56f7561f485a8471cc62f5940ad077cab7557a4ef826092355f1a2e4cba0293d648576b3e0f236ea4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\32a842b2-9b15-4935-80c3-07f8320803de.vbs
                          Filesize

                          729B

                          MD5

                          d14da8ebbd516aa8c2e7ab054a4dcc70

                          SHA1

                          7b7cc405efa5d730e0e4f8b68f42f57fe17a47b9

                          SHA256

                          b504b9a2a204086b82cc9652319a2ec342d24cdebb6f3d94aa51392c45466d73

                          SHA512

                          5577584d613a86418ed1d37d1b455101e23c4cc625b8a2e3c5fd830e32ed0d34935863d8432dfdfafd206ab4cecb437d5e8c7d0703be20a082aca0ff93f58891

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\718b38df-8191-4b47-a517-c6a1ef8cf988.vbs
                          Filesize

                          729B

                          MD5

                          6f232bf53bce47c30df7cee2608a53dd

                          SHA1

                          23b9a8eefb73dcba7d512977862ef8804e94a482

                          SHA256

                          21e0d6de0308fed58dbe65ee6b3f8ba9037bc1828e6d1904c1d7c1cb4d1a5795

                          SHA512

                          f7a7394539b4ffab97717dbe0bb4e0eb292950c51280027414062d8184f7a82a3c755a2fd7b160f82a5a3f6d850eda77bba20efaf21e2c264b823b0e80e188e7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\8ffb8496-bf55-4eb0-ac89-64b0d1f9c51d.vbs
                          Filesize

                          729B

                          MD5

                          e959f68d678ce0f14555b06ebb1ba7d0

                          SHA1

                          eb7ff80275804167393f17edd63c1a6befbf20d3

                          SHA256

                          b51b7dbb054d2f5bad4259287bf3e4d4bfcce64b2144f5d095b2306a6735f402

                          SHA512

                          eb5ef5f00660571367c1669f98c990394d43bea4aef76a6ce071c35784ed0ca5294983c7b1d266b0f88eb7d6a35485ff4e53ff2a0e84ac383a897b41fe88e5f2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\98170968-d09b-4bfe-8036-3d30ba120346.vbs
                          Filesize

                          729B

                          MD5

                          059e743e0d85526f61261c0c199d6e68

                          SHA1

                          a036b7b129424e105772645df4924bcae3236d96

                          SHA256

                          7c3bfcb08ca1371582ba08e5e6eee9e15af54b2958f9cd0a5e611158891219a5

                          SHA512

                          36eceb42c435a0ca08f4740993c938b20e6af0f7f3a39d02537e3caaacd9c13aa7987e8b990a74a142e3970ed9fb4c620337b0aab3f8769e674362c747869cd3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\a61d4766-7248-4c8a-a282-64250a2c67e8.vbs
                          Filesize

                          729B

                          MD5

                          a68cb20f094a085dcd54880866031ac8

                          SHA1

                          217ba5e0e2d43c1012addb33dedd12d394de4075

                          SHA256

                          3554d0d96bf5a8c14e402efbcfb37434fde2b1f49c5aaede14df9804d78234bc

                          SHA512

                          ab9d856936a3d68da9a4a53fa8138c1a77bc698823af84f9c262f6bb3c52fd7b48c90e95e057d968824b198a982340b9c537671aa36c3d79bf7f147d9fa15903

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\cee2e871-fc00-4749-9f54-10eb9d5de7ed.vbs
                          Filesize

                          505B

                          MD5

                          bd93ee86b7c03f34164058211ed497e0

                          SHA1

                          f6fabc2338c77b18b9242354b96a6e9feeb8d514

                          SHA256

                          5f2b103c1babf941b9624f6624510fd31eb4740e146c88b83864ddd239ca924c

                          SHA512

                          00595c266287d6fedd1c403ee3009c7b7491d777614e39f6b8af9f6f403ee1ef2595eff075e9f7d7d327b7f3b41c0a6c42c935978f3575bf0a22857b71c2d8e1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\cf5133a6-8579-441f-8191-55dc506815e0.vbs
                          Filesize

                          729B

                          MD5

                          e412df44a6f4576b1a4ea65c552185e3

                          SHA1

                          44c64becc93fb606237bc32f4d9a84b7ccf9c5aa

                          SHA256

                          d6b653be8cf9b6eab2130968a619fc41faf2acefa408b358be7f614c7e3b20c4

                          SHA512

                          d9be6b8382d1ed7f132c263a1ac4bf6f26e1fd975656d4c4ed229ccc5dcc524511273c2914f18b9433ca4a32f2feec1e3b91042c7deab270a6eed1d45f296961

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\dadc179f-69ca-40e9-b7a4-489686e5d3e6.vbs
                          Filesize

                          729B

                          MD5

                          6398c745ff4527a3154f72030b2f7727

                          SHA1

                          8ea1dd666bd307e62e32d18af031f7c34b7d860e

                          SHA256

                          9a795ddb10aff9fb354760578a2c53fd25063b7da3085cdb86a6e0812a66b836

                          SHA512

                          c4442504cd2ddcf83bf578fd2f42903be69c42f92e4f03ddc9135b8783b31419bb8b8c39a7cb494e229ce7f569b332bbc551936ba96d40602e1bb7bd426f70f4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          9f4171f2a46175cf575c88d5567a1a62

                          SHA1

                          ba557e11d7600fa67cc885bdbcdb52a0b7978c30

                          SHA256

                          796e8fbbffe06caff2ee76122296899a9f0ab54fb96706a7d353c78b3b44eb49

                          SHA512

                          b0bf0a8294d395216dd1b0d5ec944edd4490ba539b20eb19294b22ee6542893a38e31546024fbcc9ee02dcb21c1d136c733c898dcac32fe079bfc36586aae7c8

                          Download Submit

                        • C:\Windows\AppCompat\Programs\csrss.exe
                          Filesize

                          1.7MB

                          MD5

                          df3f748a0a7c53a897301bf2ad9c907c

                          SHA1

                          2cb10732e468458f508a31bb6ec239b1a2972a67

                          SHA256

                          ba6db366d4aca3137688890e46e119d4c7381a59f699fe3f533e30906a09349f

                          SHA512

                          9a95e7cdffb4c2f02d15bdb1fd233c28656554cb30c5747b9343d897bc826d244d8bcb947828d4aec3193340ee1136d664d5516062e0a4e9be87986de828aff6

                          Download Submit

                        • C:\Windows\IME\IMEJP10\System.exe
                          Filesize

                          1.7MB

                          MD5

                          2731bd4d41da91f925ef4b70e9fa4228

                          SHA1

                          78a5beb657b31691ee6d470559eff499760055b5

                          SHA256

                          119e4542a010f011d538d976e3a0b4eaf300a6148677ac7f78618a9287809eef

                          SHA512

                          0971bed2c1f652397eb66b4e93a4c6e953379eb147e6897784865cffd833ca6e17814afee08d35dbe4e0013d9e651752366bbc52f032eb1ae36e42350f102f6a

                          Download Submit

                        • C:\Windows\RemotePackages\RemoteApps\spoolsv.exe
                          Filesize

                          1.7MB

                          MD5

                          0a2812abc142454aa8502736da49c399

                          SHA1

                          952c0669ba55742fcd6d376c452bd7c7bac725b2

                          SHA256

                          1434f8ebbd375b1d9be498213934eb0d9eff099fa16bee66d904f33fd7d5d480

                          SHA512

                          0f12ae58cf48f517de190c7f635ea4e8293cb9bc9ff0418ecf63be972800737eccc41382c2dec406f4731e010d7720bfbb237271d31f5dbb53082e54fdeec97d

                          Download Submit

                        • C:\Windows\SysWOW64\csrss.exe
                          Filesize

                          1.7MB

                          MD5

                          4f540f96e936ce9bf57d25ce4251d82b

                          SHA1

                          042897381ac1381d17093a778ff4e8740c1d5668

                          SHA256

                          c127d842c8946412bd14562c27c2b74b146f7943024e70764959dd22949e382e

                          SHA512

                          d5c617825d4a21421ed12eea1db69c0c0304af0087293aaadc847503b4b1d676011bbeaf54b5932f81b3e8c790e4b989515af1ef3e67da60b216c76c92c348df

                          Download Submit

                        • C:\Windows\ja-JP\dllhost.exe
                          Filesize

                          1.7MB

                          MD5

                          e702bf00254ce0751b7b2b45cd7f60bf

                          SHA1

                          b1add3ee25ba94c48c70f6cf867e9aa3820cd52a

                          SHA256

                          a2739b8cdb01c8806f27956e35f30d43105ac7dd5962c39282b2b014e77138e9

                          SHA512

                          7db299065a8aef103bd049c86bda4208b0ab4be749baf142499986503fc38c449492b5c673fefcdbdb41949a1d353de25eca3a4cb52017aa7a08f36fb9bfc993

                          Download Submit

                        • memory/1916-340-0x0000000001250000-0x0000000001410000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/1968-248-0x0000000002890000-0x0000000002898000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1968-244-0x000000001B590000-0x000000001B872000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2080-267-0x0000000001230000-0x00000000013F0000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/2224-375-0x00000000003E0000-0x00000000005A0000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/2256-363-0x00000000002E0000-0x00000000002F2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/2700-0-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2700-9-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2700-191-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2700-14-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/2700-215-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2700-12-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2700-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2700-11-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/2700-18-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2700-168-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2700-261-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2700-13-0x0000000000E80000-0x0000000000E8A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2700-8-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2700-6-0x0000000000540000-0x0000000000556000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/2700-7-0x0000000000C90000-0x0000000000CA0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2700-4-0x00000000004A0000-0x00000000004A8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2700-5-0x0000000000530000-0x0000000000540000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2700-3-0x0000000000480000-0x000000000049C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/2700-15-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2700-2-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/2700-17-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2700-1-0x0000000001200000-0x00000000013C0000-memory.dmp

                          Filesize

                          1.8MB

                          Download