Overview

overview

10

Static

static

10

eab2a57923...d5.exe

windows7-x64

10

eab2a57923...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5.exe

  • Size

    2.9MB

  • MD5

    ae3ebf1bdd4cfaaf60058c82c1e3075f

  • SHA1

    7cd11b62afe32197e71c18fd480912e5166a19a5

  • SHA256

    eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5

  • SHA512

    4424a2614b0b73bbffe39a4f0b68d41f8f90488333995ce7d47f97274bf6d9b051a0c92511e7df3949478bb2e7d1a1923ef94058a78a6b3bf06aca1738e6be34

  • SSDEEP

    49152:iBojA1ji5x2V6bA30eGCYdDwhc2Mmpj+6y0bgli9xPMC6Mux:iU5jbimFwhc2zjb3glukrx

Score
10/10
dcratexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 31 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 62 IoCs
    persistence
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5.exe
    "C:\Users\Admin\AppData\Local\Temp\eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5.exe"
    1⤵
    • DcRat
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
      • C:\Windows\SysWOW64\msiexec.exe
        "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1500
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2956
    • C:\Users\Admin\AppData\Local\Temp\FinalMom.exe
      "C:\Users\Admin\AppData\Local\Temp\FinalMom.exe"
      2⤵
      • Executes dropped EXE
      PID:940
    • C:\Users\Admin\AppData\Local\Temp\solara.exe
      "C:\Users\Admin\AppData\Local\Temp\solara.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\oIWytMk.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Surrogateprovidercomponentsessionmonitor\GPEuaUZk.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
            "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
            5⤵
            • DcRat
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2512
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\browserwinsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\cmd.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2712
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\sppsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2580
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3044
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\lsm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\spoolsv.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\wininit.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1952
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1132
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1144
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\browserwinsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2040
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2732
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1972
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ecp6yeo5XL.bat"
              6⤵
                PID:2924
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2400
                  • C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                    "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
                    7⤵
                    • Modifies WinLogon for persistence
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1668
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2268
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\wininit.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2548
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1532
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1588
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\smss.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3064
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2856
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\Idle.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2504
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1500
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\System.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:780
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:308
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\lsass.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2248
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:980
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\lsm.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2680
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:560
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\msiexec.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2016
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1764
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1496
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2612
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vZhipSfUU.bat"
                      8⤵
                        PID:1664
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1580
                          • C:\Program Files (x86)\Windows Sidebar\de-DE\Idle.exe
                            "C:\Program Files (x86)\Windows Sidebar\de-DE\Idle.exe"
                            9⤵
                            • Executes dropped EXE
                            • Modifies system certificate store
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\browserwinsvc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1124
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "browserwinsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\browserwinsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1120
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\browserwinsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\cmd.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2280
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Documents\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\sppsvc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:660
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\lsm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\lsm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\lsm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1036
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2172
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Surrogateprovidercomponentsessionmonitor\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:1548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1452
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Surrogateprovidercomponentsessionmonitor\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:800
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:692
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\browserwinsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "browserwinsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\browserwinsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\browserwinsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2156
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            PID:2184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2716
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2456
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Blocklisted process makes network request
            • Enumerates connected drives
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:2676
            • C:\Windows\system32\MsiExec.exe
              C:\Windows\system32\MsiExec.exe -Embedding 71AA1B5FA7C1B2A5B74EBAC0B117FC54
              2⤵
              • Loads dropped DLL
              PID:2892
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding 99D0574351A4C5AD918CD88EA38151F3
              2⤵
              • Loads dropped DLL
              PID:2640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1216
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2256
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2976
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:2424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:1104
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            PID:1528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Surrogateprovidercomponentsessionmonitor\System.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            PID:1952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Surrogateprovidercomponentsessionmonitor\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1080
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:1948
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\lsass.exe'" /f
            1⤵
              PID:1124
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1144
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:2928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1616
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1996
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1468
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2168
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:2656
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:2320
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2136
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\msiexec.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:904
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:2336
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f
              1⤵
                PID:2768
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f
                1⤵
                • DcRat
                PID:1604
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2004
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Scheduled Task/Job: Scheduled Task
                PID:1248
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'" /f
                1⤵
                • DcRat
                PID:2084
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1192
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                PID:3020
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'" /f
                1⤵
                • DcRat
                PID:2868
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1912
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'" /rl HIGHEST /f
                1⤵
                  PID:1868

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Modify Registry

                3
                T1112

                Subvert Trust Controls

                1
                T1553

                Install Root Certificate

                1
                T1553.004

                Credential Access

                Unsecured Credentials

                2
                T1552

                Credentials In Files

                2
                T1552.001

                Discovery

                Peripheral Device Discovery

                1
                T1120

                Query Registry

                2
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Data from Local System

                2
                T1005

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Surrogateprovidercomponentsessionmonitor\GPEuaUZk.bat
                  Filesize

                  63B

                  MD5

                  6de687cf7ca366429c953cb49905b70a

                  SHA1

                  58e2c1823c038d8da8a2f042672027184066279e

                  SHA256

                  80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611

                  SHA512

                  6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

                  Download Submit

                • C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                  Filesize

                  1.5MB

                  MD5

                  037a82f24f4cddb5c5c5cdd21a64f307

                  SHA1

                  a310eecaa57af7cd61ba38805acba246c433b479

                  SHA256

                  3829c70319b18efdd69f5f8d0d7b5c5855c29f7c5b7395f5a82bf53c8988624b

                  SHA512

                  b7d9604ce79f1d56ea6c221aade92b0492e737384c5604b134587edf08c13d163539c5f2864864e3d7b50e6cb4f75975ab6a7a715f849e961442a05ee0280bcc

                  Download Submit

                • C:\Surrogateprovidercomponentsessionmonitor\oIWytMk.vbe
                  Filesize

                  225B

                  MD5

                  391a96335b25ba0a8cebdf4628d737cf

                  SHA1

                  3b81d5ba63397e5e542bf8090888c4b6f8037e92

                  SHA256

                  835d12603e51f2c557699e79109d011a01b72e3041c566e3422602f172eda58f

                  SHA512

                  47b74d5cd5adba289dde01fea763267d73468555da6d6d366b76590454481072bc3c2362765e3c6af6155c8f9e54fad0a53118f75eae78ff24ffee0046b5583c

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                  Filesize

                  1KB

                  MD5

                  a266bb7dcc38a562631361bbf61dd11b

                  SHA1

                  3b1efd3a66ea28b16697394703a72ca340a05bd5

                  SHA256

                  df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                  SHA512

                  0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  Filesize

                  342B

                  MD5

                  24fd6da5e70d8454e370bc4ba8dbd5e4

                  SHA1

                  171e0471e798802a0693aeacb9cf3f36fe718ae6

                  SHA256

                  2d3965fb246b62bd5b0ca22aa9f8a7e476592c962cabe405d23105ced2f67928

                  SHA512

                  5888e54b155a87b68c1ea41ac89888ac0f9f04d78f599866bc06c8b0dd79394a6e0270c080677a7404c92a0d1d44a6527ef3dd1819d59ef74696e85b0145943f

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                  Filesize

                  242B

                  MD5

                  571bc6d3943c28101ac5bfeaf23335bf

                  SHA1

                  9b96ccbc457697432d111ceb602ef5df959d0067

                  SHA256

                  78cd1f08dbbe0a20902fed50fb806a071dd071edf387b94950ec11e72f2f463c

                  SHA512

                  89904fba560c21c305a89479eab546441a8013aee807f68c276f47ad03673f533e453d36ec5f6c72b3a49774564768f5991d556c423b9e0532df30caf52539b2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7vZhipSfUU.bat
                  Filesize

                  218B

                  MD5

                  06bbede6bb16e100a83ecf4d947af366

                  SHA1

                  2d7bd4fbb935e938978add8492020224c052a45f

                  SHA256

                  febf0c6b631772f70923d74718a5b72071c2d05feb0ce077b9d488f53b598523

                  SHA512

                  bf7085d05014d9cbf4f83a69969a33d7bd9aae47036f8f5a106054e374696b08683c30fea2b483a64885293fbf5ce2e3aceba1dcc17a9c65a5ec488be0c8e359

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Ecp6yeo5XL.bat
                  Filesize

                  226B

                  MD5

                  1bce1309cd5b58c59eff17261e4e0c57

                  SHA1

                  88f9895962deb2e7cbd8dd857ad906d8879cfca0

                  SHA256

                  b6a19b37e4ed11d0b5066092b85ee4176134d975282fd754ef996766343c397d

                  SHA512

                  730b2edd7a366ab399a8a60bc979ca78a279edeac688f4f45596594e2cc1a4d9b0541910db47b4692c127b7ce87afd0ce100495b0bfeb6cc3b852fd6d446bca9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\FinalMom.exe
                  Filesize

                  368KB

                  MD5

                  233571d2819b35fbff3ca0689ff35f72

                  SHA1

                  601abe43c0a07e5457b93c47ab1b119ff9ace70c

                  SHA256

                  d5f49ad3ddadeade12e5be50db388d68970f9b9285ab141d6148d6d8d017eef0

                  SHA512

                  ab25f47076eb1bc7465dce10fa9bc299926fbb714ff5652634f26bbeba5d9599b0364f3888c9be49573735a5693c2b146621951c17fc58b600721fe3502089f9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Tar1DE2.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
                  Filesize

                  30.1MB

                  MD5

                  0e4e9aa41d24221b29b19ba96c1a64d0

                  SHA1

                  231ade3d5a586c0eb4441c8dbfe9007dc26b2872

                  SHA256

                  5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

                  SHA512

                  e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  b7605f8bdf0deda4c20f511db6e84c37

                  SHA1

                  d88f2270e7aba4b6cc471f6b893a46e18782fa3b

                  SHA256

                  4b722ab79fd3b7f53660fcc41da7ab0506e64cc8d9e75857b11c760d6915a377

                  SHA512

                  14d683573c5a24aab7d42538457634e09fc01442b131b855cdd75b3ecc78515c8a57121b6cc43860cac5fe36635a34cb4cb7bad26e216df3c2ef186107d8975d

                  Download Submit

                • C:\Windows\Installer\MSI399D.tmp
                  Filesize

                  122KB

                  MD5

                  9fe9b0ecaea0324ad99036a91db03ebb

                  SHA1

                  144068c64ec06fc08eadfcca0a014a44b95bb908

                  SHA256

                  e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

                  SHA512

                  906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                  Filesize

                  797KB

                  MD5

                  36b62ba7d1b5e149a2c297f11e0417ee

                  SHA1

                  ce1b828476274375e632542c4842a6b002955603

                  SHA256

                  8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

                  SHA512

                  fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\solara.exe
                  Filesize

                  1.8MB

                  MD5

                  4c7ed600c86e1359d74ee54244f3f5b4

                  SHA1

                  becd9d29a85fe3ff7601c93b02d271a627dfc3e8

                  SHA256

                  3a1b626df8d7a9f83b55d46fd7ce402b76f2198ee6908e8e058c84397206e7a5

                  SHA512

                  74f127060857189f4b30c95666c6333ae7887a7615ace39e687ffdc8715bb9dd400e2e5e1af056ae22176bcca957f15a572c9204d9d8a9fd6d8c801929416452

                  Download Submit

                • \Windows\Installer\MSI3A0C.tmp
                  Filesize

                  211KB

                  MD5

                  a3ae5d86ecf38db9427359ea37a5f646

                  SHA1

                  eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                  SHA256

                  c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                  SHA512

                  96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                  Download Submit

                • memory/940-22-0x0000000000290000-0x00000000002F2000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/1668-238-0x00000000000E0000-0x0000000000264000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/1936-20-0x0000000000400000-0x00000000006F7000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2320-373-0x0000000000E40000-0x0000000000FC4000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2512-127-0x0000000001E80000-0x0000000001E88000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2512-126-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2524-37-0x0000000001240000-0x00000000013C4000-memory.dmp

                  Filesize

                  1.5MB

                  Download

                • memory/2524-82-0x000000001A7F0000-0x000000001A7FC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2524-81-0x000000001A7E0000-0x000000001A7EA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2524-80-0x000000001A7D0000-0x000000001A7DE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2524-79-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2524-78-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2524-77-0x0000000000C80000-0x0000000000C96000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2524-76-0x0000000000C70000-0x0000000000C78000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2524-75-0x0000000000BD0000-0x0000000000BEC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/2524-38-0x0000000000340000-0x000000000034E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2548-288-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2548-289-0x0000000001F70000-0x0000000001F78000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3040-21-0x0000000000390000-0x000000000045E000-memory.dmp

                  Filesize

                  824KB

                  Download