Overview

overview

10

Static

static

10

5d05c7d74a...58.exe

windows7-x64

10

5d05c7d74a...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2023 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe

  • Size

    1.3MB

  • MD5

    b9a0002e9a104374dea2f4ba571f1764

  • SHA1

    627488abb7aeeb5f8f411a9694cebd6b4748a86f

  • SHA256

    5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

  • SHA512

    439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

  • SSDEEP

    24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

Score
10/10
dcratevasioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 30 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 60 IoCs
    persistence
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe
    "C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
          "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:472
          • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
            "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0aEddWN7P.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1764
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1248
                • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                  "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
                  7⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2036
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CnpfCVPEv7.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1780
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:624
                      • C:\Program Files\7-Zip\Lang\lsm.exe
                        "C:\Program Files\7-Zip\Lang\lsm.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1116
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • Modifies registry key
              PID:1588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\de-DE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\hyperReviewwin.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperReviewwin" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\hyperReviewwin.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\hyperReviewwin.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\WMIADAP.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\twain_32\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:2032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1356
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\hyperReviewwin.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:1320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperReviewwin" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\hyperReviewwin.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\hyperReviewwin.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\System.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\SendTo\System.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\System.exe'" /rl HIGHEST /f
        1⤵
          PID:840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /f
          1⤵
            PID:952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /rl HIGHEST /f
            1⤵
              PID:972
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Creates scheduled task(s)
              PID:1608
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\fr-FR\sppsvc.exe'" /f
              1⤵
              • Creates scheduled task(s)
              PID:776
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\sppsvc.exe'" /rl HIGHEST /f
              1⤵
                PID:1732
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\fr-FR\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                  PID:1680
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\hyperReviewwin.exe'" /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:900
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "hyperReviewwin" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\hyperReviewwin.exe'" /rl HIGHEST /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:1788
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "hyperReviewwinh" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\hyperReviewwin.exe'" /rl HIGHEST /f
                  1⤵
                    PID:1936
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe'" /f
                    1⤵
                    • Creates scheduled task(s)
                    PID:1168
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe'" /rl HIGHEST /f
                    1⤵
                    • Creates scheduled task(s)
                    PID:772
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe'" /rl HIGHEST /f
                    1⤵
                      PID:1392
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\csrss.exe'" /f
                      1⤵
                        PID:964
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Creates scheduled task(s)
                        PID:1552
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
                        1⤵
                        • Creates scheduled task(s)
                        PID:1216
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                        1⤵
                          PID:704
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                          1⤵
                          • Creates scheduled task(s)
                          PID:560
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                          1⤵
                          • Creates scheduled task(s)
                          PID:1264

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Scheduled Task

                        1
                        T1053

                        Persistence

                        Winlogon Helper DLL

                        1
                        T1004

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Scheduled Task

                        1
                        T1053

                        Privilege Escalation

                        Scheduled Task

                        1
                        T1053

                        Defense Evasion

                        Modify Registry

                        3
                        T1112

                        Credential Access

                        Discovery

                        System Information Discovery

                        1
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\7-Zip\Lang\lsm.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • C:\Program Files\7-Zip\Lang\lsm.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\B0aEddWN7P.bat
                          Filesize

                          245B

                          MD5

                          a4cf252015131dbb37304d1cf7d94ae0

                          SHA1

                          8695c52c3bd1a7f96d2ee529404df36332e24456

                          SHA256

                          de36a80bc03e5d063ab4d790e1aaa8e1b0628d1b9999707be9eb627aa9aa7be0

                          SHA512

                          0f3790597ad9cb7ab287856d96566cbba36a81ccf133c5c6a0deb71f38b04ac8dbb88b1cc936dbe6bcd363d4f3c6abccb0dd1eebd62fa6609a454de35fc7fa16

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\CnpfCVPEv7.bat
                          Filesize

                          200B

                          MD5

                          f618e0958fe61d8bcdf3c4da9256d6ab

                          SHA1

                          753d333ccf1f99421e1e809cfc6e6bfa70de868f

                          SHA256

                          b4db237383eb762d565237b35226feece1b0bc53af19d8ad905be8a2d1e42f93

                          SHA512

                          7be88d1c5d89bab14d9814803207f4ad44404a167f8b2198a4963ab7b2cfc04f28110204c203bbdcf8090d319f85363bd08183def20db423f4fbf9ed76f75748

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat
                          Filesize

                          173B

                          MD5

                          2445216481e9c79fe7a7d2dddd5dd047

                          SHA1

                          5caaf8f423f587b26c0d98bb57db0e295d7ca6a7

                          SHA256

                          0d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d

                          SHA512

                          7000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe
                          Filesize

                          221B

                          MD5

                          fc584ab062886ba5b7b34c8a8e4f1809

                          SHA1

                          6be7eeee2021f69be9e4513f0cb28408a56caba9

                          SHA256

                          873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76

                          SHA512

                          a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • \Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • \Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
                          Filesize

                          1.0MB

                          MD5

                          ce9d81db072369459840b1fe59a54ac9

                          SHA1

                          5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

                          SHA256

                          62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

                          SHA512

                          6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

                          Download Submit
                        • memory/472-63-0x0000000000000000-mapping.dmp
                          Download
                        • memory/472-68-0x0000000000470000-0x0000000000478000-memory.dmp
                          Filesize

                          32KB

                          Download
                        • memory/472-69-0x0000000000480000-0x000000000048C000-memory.dmp
                          Filesize

                          48KB

                          Download
                        • memory/472-66-0x00000000002D0000-0x00000000002E0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/472-65-0x0000000000830000-0x000000000093A000-memory.dmp
                          Filesize

                          1.0MB

                          Download
                        • memory/472-67-0x00000000002E0000-0x00000000002EC000-memory.dmp
                          Filesize

                          48KB

                          Download
                        • memory/624-81-0x0000000000000000-mapping.dmp
                          Download
                        • memory/964-55-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1116-85-0x0000000001200000-0x000000000130A000-memory.dmp
                          Filesize

                          1.0MB

                          Download
                        • memory/1116-83-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1248-75-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1500-59-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1588-72-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1728-70-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1764-73-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1780-79-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1996-54-0x0000000075D11000-0x0000000075D13000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2036-78-0x0000000000230000-0x000000000033A000-memory.dmp
                          Filesize

                          1.0MB

                          Download
                        • memory/2036-76-0x0000000000000000-mapping.dmp
                          Download