Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 05:45

General

  • Target

    fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe

  • Size

    2.7MB

  • MD5

    a78d0c51cca6fcf4a6ef0c33e5fd0bd4

  • SHA1

    5768a7cf4aeed1327d64087f55fc6fba34f817fd

  • SHA256

    fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8

  • SHA512

    a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5

  • SSDEEP

    49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 26 IoCs
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
    "C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
      "C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u5MeZyGQdN.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:892
          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
            "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:2412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 6 /tr "'C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8" /sc ONLOGON /tr "'C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 10 /tr "'C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8" /sc ONLOGON /tr "'C:\Users\Admin\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8f" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:584
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\debug\WIA\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:1572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:1684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\system\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:2052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:3004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:2668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

      Filesize

      2.7MB

      MD5

      a78d0c51cca6fcf4a6ef0c33e5fd0bd4

      SHA1

      5768a7cf4aeed1327d64087f55fc6fba34f817fd

      SHA256

      fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8

      SHA512

      a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5

    • C:\Users\Admin\AppData\Local\Temp\u5MeZyGQdN.bat

      Filesize

      237B

      MD5

      5d348d27d4d6502b9b8f64607b1b29ec

      SHA1

      eaa0fe62129a5ad7ef9c86d8cab0ed23dfeaeca5

      SHA256

      823801c23f6a208f9b65669e29413924beb529f38566867d457d12499d920c8c

      SHA512

      e538810da92c0508f87947f602e9d1f32f22366c9b81f9252c2ccdfb1f84c337a6a5477124ddd3b7af50ced2a76f05c98151f222cfbe2107a6689ea9cc3a0ef6

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      8b338f1d2f694efc580ea74ab3981850

      SHA1

      464b09d385bdec57d9133faabb3554a2354e1e74

      SHA256

      7a1c6be470f437fc58a299b58e77e5031549e543827d45ab5f3192538b9825f7

      SHA512

      fc45958f132e4fe3d2f9f609de4aac27188a6fe96df3333a9d094ca89bc300bf1bfe1c18b01422d102de03fdb2a06caa5c5bde9543b9a3adaeff14fe1f418d3d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe

      Filesize

      2.7MB

      MD5

      ae65c997e56439f2ebac360add75316c

      SHA1

      95c9362d655548ca88b40e57a2ea5fd4278a6523

      SHA256

      038371de6e69352136d0747b3ced1379a456be534932d0764ecd3b4b88f4dbfa

      SHA512

      6fe30fb26717db5131844370982baaa2153991932e6a18ac509ddb95b0d2c10dd06db0e2cad173fc165474a4aa691db37c339d840bc8ed3270331575835b4130

    • C:\Windows\system\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe

      Filesize

      2.7MB

      MD5

      ee2cd1521ff1bc39102dabbd375ad0b7

      SHA1

      e413734d0c0e2d7d3dfe4e5920a6fab937368f02

      SHA256

      b2ad526591e910739dea4ab308d400142069f4cf99ca7eaf1912e445709b9afa

      SHA512

      629ecf240c106ce829f8bb7e5c58e9975e92456bcd57f1fc33faedd75784f098c0ad7a8e81be10e5910a4aeaeeb33e291567dd48f9c38eca05368f8f5e2844a2

    • \??\PIPE\srvsvc

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • memory/1084-205-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

    • memory/1084-204-0x000000001B600000-0x000000001B8E2000-memory.dmp

      Filesize

      2.9MB

    • memory/1700-208-0x0000000000150000-0x0000000000410000-memory.dmp

      Filesize

      2.8MB

    • memory/2144-131-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

    • memory/2144-130-0x000000001B600000-0x000000001B8E2000-memory.dmp

      Filesize

      2.9MB

    • memory/2360-9-0x00000000007A0000-0x00000000007A8000-memory.dmp

      Filesize

      32KB

    • memory/2360-23-0x000000001B010000-0x000000001B018000-memory.dmp

      Filesize

      32KB

    • memory/2360-13-0x00000000007C0000-0x00000000007C8000-memory.dmp

      Filesize

      32KB

    • memory/2360-14-0x0000000000850000-0x0000000000858000-memory.dmp

      Filesize

      32KB

    • memory/2360-15-0x0000000002280000-0x000000000228C000-memory.dmp

      Filesize

      48KB

    • memory/2360-17-0x00000000022A0000-0x00000000022AC000-memory.dmp

      Filesize

      48KB

    • memory/2360-16-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

    • memory/2360-18-0x00000000022B0000-0x00000000022BC000-memory.dmp

      Filesize

      48KB

    • memory/2360-19-0x000000001AF00000-0x000000001AF08000-memory.dmp

      Filesize

      32KB

    • memory/2360-21-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

      Filesize

      48KB

    • memory/2360-20-0x000000001AED0000-0x000000001AED8000-memory.dmp

      Filesize

      32KB

    • memory/2360-24-0x000000001B0A0000-0x000000001B0AA000-memory.dmp

      Filesize

      40KB

    • memory/2360-25-0x000000001B0B0000-0x000000001B0BC000-memory.dmp

      Filesize

      48KB

    • memory/2360-12-0x000000001AAB0000-0x000000001AB06000-memory.dmp

      Filesize

      344KB

    • memory/2360-26-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

      Filesize

      9.9MB

    • memory/2360-22-0x000000001AEF0000-0x000000001AEFC000-memory.dmp

      Filesize

      48KB

    • memory/2360-11-0x00000000007B0000-0x00000000007BA000-memory.dmp

      Filesize

      40KB

    • memory/2360-10-0x00000000003D0000-0x00000000003E0000-memory.dmp

      Filesize

      64KB

    • memory/2360-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

      Filesize

      4KB

    • memory/2360-8-0x0000000000320000-0x0000000000328000-memory.dmp

      Filesize

      32KB

    • memory/2360-132-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

      Filesize

      9.9MB

    • memory/2360-7-0x00000000003B0000-0x00000000003C6000-memory.dmp

      Filesize

      88KB

    • memory/2360-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

      Filesize

      32KB

    • memory/2360-6-0x0000000000300000-0x0000000000310000-memory.dmp

      Filesize

      64KB

    • memory/2360-4-0x00000000002D0000-0x00000000002EC000-memory.dmp

      Filesize

      112KB

    • memory/2360-3-0x00000000002C0000-0x00000000002C8000-memory.dmp

      Filesize

      32KB

    • memory/2360-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

      Filesize

      9.9MB

    • memory/2360-1-0x00000000003E0000-0x00000000006A0000-memory.dmp

      Filesize

      2.8MB