Overview

overview

10

Static

static

10

19ab72819e...63.exe

windows7-x64

10

19ab72819e...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

  • Size

    1.9MB

  • MD5

    29d80d247dfb4bd92b1bcfd7a7695d36

  • SHA1

    0284cb27c754537c0440d9341a6fd07b0be1fa42

  • SHA256

    19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963

  • SHA512

    5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

  • SSDEEP

    24576:5cIqg3pZ9Lbp1x5mMnbJ4ANfUAlkDd/2uUpET57RLGKETv/cyUM6MniOlsxvZBSg:XrhDbJ4dAlkpuuUpY57cKEr0a7iOyKc

Score
10/10
dcratexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 34 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 37 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
    "C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2196
        • C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
          "C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\explorer.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\winlogon.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\services.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\audiodg.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\winlogon.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2616
          • C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
            "C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:2696
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2984
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1856
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\conhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2956
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\en-US\WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1828
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:944
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\conhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1288
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2732
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\powershell.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\taskhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1064
            • C:\Program Files (x86)\Common Files\conhost.exe
              "C:\Program Files (x86)\Common Files\conhost.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:1340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Pictures\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:2436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:1856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:2316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\audiodg.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Templates\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:1612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
      1⤵
      • DcRat
      • Creates scheduled task(s)
      PID:1524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:1672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
      1⤵
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:2844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:1992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:2232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f
        1⤵
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-US\WmiPrvSE.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:2468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\IME\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          PID:1072
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
            PID:1316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'" /f
            1⤵
            • DcRat
            • Creates scheduled task(s)
            PID:2820
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Creates scheduled task(s)
            PID:1292
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:2620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\conhost.exe'" /f
            1⤵
              PID:1804
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1920
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:1756
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1364
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:2580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /f
              1⤵
                PID:2096
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963" /sc ONLOGON /tr "'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2444
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1656
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'" /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:772
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                PID:1784
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2240
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
                1⤵
                • Creates scheduled task(s)
                PID:1796
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2900
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
                1⤵
                  PID:2564
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:2392
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:2308
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  PID:556
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhost.exe'" /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:2736
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:2804
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f
                  1⤵
                    PID:1468

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe
                    Filesize

                    1.9MB

                    MD5

                    29d80d247dfb4bd92b1bcfd7a7695d36

                    SHA1

                    0284cb27c754537c0440d9341a6fd07b0be1fa42

                    SHA256

                    19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963

                    SHA512

                    5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat
                    Filesize

                    267B

                    MD5

                    7d130cc59da2af39feb9a5168a77d3b4

                    SHA1

                    6b1323ec2c977f5877a9561a89731c611e0e79c2

                    SHA256

                    25f7998e71ba565a5ee5ab0da5d3e1cfe8d9c679c5b6b8e0b98f428ae616c460

                    SHA512

                    a13269327b35d02cf488cc2e650fa59e6d29860552645551b0dddbd18402479c4284fcde849fb3e1238cbe82db04fc177169d77907b53b39cbc82b8d8342db44

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                    Filesize

                    7KB

                    MD5

                    0c99352d04f580a35a54dfdbbc5e740b

                    SHA1

                    824f65f53bfe43cafa1894825d8ff407826f10cb

                    SHA256

                    23c3af8a4c32d6d645b6b996ea40c806ed57aa35a34046ebd1fb4d886ddd3e8e

                    SHA512

                    a8acc38d8a01f5ff9f37710c20577b55682581e44e9552ce5c89053c3c6b42e4e19d75b1190943427d07b991c5be688c9e81793d505b6ba4b521d90387bcfe27

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                    Filesize

                    7KB

                    MD5

                    fdf79caf1782029ddcda7958de1ea0ef

                    SHA1

                    7177c3f84690d070e5e979db105f1a8e2e42b062

                    SHA256

                    9785ecec2b6aaf312cc600e037ee25e568073654b40e8bda5db5df21f19d893d

                    SHA512

                    409602a51ebb012a31ea415a96e6a000b62562ba191fd4cd2871baab3d77a523dc7998172855183720700481fdb4fe2167564ddac5989e166716d56dd2aa32ec

                    Download Submit

                  • memory/920-376-0x0000000000350000-0x0000000000362000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/920-336-0x0000000000360000-0x000000000055A000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/1680-95-0x0000000002560000-0x0000000002568000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1708-9-0x0000000002080000-0x000000000208C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1708-23-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1708-10-0x0000000002090000-0x00000000020A2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/1708-11-0x00000000020A0000-0x00000000020AC000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1708-12-0x000000001A850000-0x000000001A85C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1708-13-0x000000001A910000-0x000000001A918000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1708-14-0x000000001A860000-0x000000001A86C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1708-15-0x000000001A870000-0x000000001A87E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1708-16-0x000000001A900000-0x000000001A908000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1708-17-0x000000001A920000-0x000000001A92E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1708-18-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1708-19-0x000000001ADF0000-0x000000001ADFA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1708-20-0x000000001AE00000-0x000000001AE0C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1708-21-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1708-22-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1708-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1708-24-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1708-8-0x0000000000520000-0x0000000000530000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1708-72-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1708-7-0x0000000002060000-0x0000000002076000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1708-6-0x0000000000510000-0x0000000000520000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1708-5-0x00000000004F0000-0x000000000050C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/1708-1-0x0000000000130000-0x000000000032A000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/1708-2-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1708-4-0x00000000004E0000-0x00000000004E8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1708-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1756-186-0x000000001B340000-0x000000001B622000-memory.dmp

                    Filesize

                    2.9MB

                    Download

                  • memory/1816-106-0x0000000000AD0000-0x0000000000CCA000-memory.dmp

                    Filesize

                    2.0MB

                    Download

                  • memory/2528-208-0x0000000002210000-0x0000000002218000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2896-87-0x000000001B1B0000-0x000000001B492000-memory.dmp

                    Filesize

                    2.9MB

                    Download