Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2022 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    685KB

  • MD5

    f46ec173d8bde278bd30b1ea98139b82

  • SHA1

    449d0804551bddab7e74b5f49075844c7eb5910b

  • SHA256

    01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

  • SHA512

    721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

  • SSDEEP

    12288:6Nqf31kcqzecjnf6vBSx7zr/5Ot3blrAJR1pvXvamrbfWQM27W5stq:n1qzeEiSbBwblrAbtnfsst

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "{path}"
      2⤵
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Users\Admin\AppData\Local\Temp\file.exe
          "{path}"
          4⤵
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
            "C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1560
            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
              "{path}"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WMIADAP.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1460
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "filef" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\file.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\file.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "filef" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\file.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "filef" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\file.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\file.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "filef" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\it-IT\file.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
    1⤵
      PID:1464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\spoolsv.exe'" /f
      1⤵
        PID:1544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\spoolsv.exe'" /rl HIGHEST /f
        1⤵
          PID:568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMESC5\HELP\winlogon.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\HELP\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\IMESC5\HELP\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\WmiPrvSE.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "filef" /sc MINUTE /mo 8 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\file.exe'" /f
          1⤵
            PID:1752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\file.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "filef" /sc MINUTE /mo 6 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\file.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:1744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:1636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:1760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:1068

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
            Filesize

            685KB

            MD5

            f46ec173d8bde278bd30b1ea98139b82

            SHA1

            449d0804551bddab7e74b5f49075844c7eb5910b

            SHA256

            01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

            SHA512

            721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

            Download Submit

          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
            Filesize

            685KB

            MD5

            f46ec173d8bde278bd30b1ea98139b82

            SHA1

            449d0804551bddab7e74b5f49075844c7eb5910b

            SHA256

            01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

            SHA512

            721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

            Download Submit

          • C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
            Filesize

            685KB

            MD5

            f46ec173d8bde278bd30b1ea98139b82

            SHA1

            449d0804551bddab7e74b5f49075844c7eb5910b

            SHA256

            01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

            SHA512

            721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

            Download Submit

          • \Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
            Filesize

            685KB

            MD5

            f46ec173d8bde278bd30b1ea98139b82

            SHA1

            449d0804551bddab7e74b5f49075844c7eb5910b

            SHA256

            01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

            SHA512

            721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

            Download Submit

          • \Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe
            Filesize

            685KB

            MD5

            f46ec173d8bde278bd30b1ea98139b82

            SHA1

            449d0804551bddab7e74b5f49075844c7eb5910b

            SHA256

            01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

            SHA512

            721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

            Download Submit

          • memory/668-101-0x00000000004776DE-mapping.dmp

            Download

          • memory/1104-82-0x00000000004776DE-mapping.dmp

            Download

          • memory/1324-54-0x0000000000200000-0x00000000002B2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/1324-58-0x0000000005B60000-0x0000000005BDC000-memory.dmp

            Filesize

            496KB

            Download

          • memory/1324-57-0x0000000005AC0000-0x0000000005B58000-memory.dmp

            Filesize

            608KB

            Download

          • memory/1324-56-0x0000000000630000-0x0000000000650000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1324-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1560-93-0x0000000000F80000-0x0000000001032000-memory.dmp

            Filesize

            712KB

            Download

          • memory/1560-90-0x0000000000000000-mapping.dmp

            Download

          • memory/1772-74-0x0000000000000000-mapping.dmp

            Download

          • memory/2040-60-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2040-73-0x0000000001EA0000-0x0000000001EAC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2040-72-0x0000000001E90000-0x0000000001E9C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2040-71-0x0000000001E20000-0x0000000001E2C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2040-69-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2040-67-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2040-65-0x00000000004776DE-mapping.dmp

            Download

          • memory/2040-64-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2040-63-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2040-62-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2040-59-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download