Analysis

  • max time kernel
    119s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:02

General

  • Target

    b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe

  • Size

    1.1MB

  • MD5

    b8da80bdfe6252c354345441684b6151

  • SHA1

    040dcd00ac82eb3add9bd49bc9c2c773093cdd07

  • SHA256

    b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9

  • SHA512

    da03b9665eb425db14c28ddc631a3cda5425ed140d2bae37b08a8c9f8e6208a45072be53d8b02b4e15bab53fa439e46d27c0a2681f3c94d1b3ae47de37e5a7e6

  • SSDEEP

    24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdD:EPkVXFGDQoP7FRCZRonh4hfewhmpdD

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
    "C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
      "{path}"
      2⤵
        PID:2816
      • C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
        "{path}"
        2⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1804
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\logs\winlogon.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1612
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:776
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\smss.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\spoolsv.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2208
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3032
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2848
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2396
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2012
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\Idle.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2780
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2860
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1132
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:1560
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
            "{path}"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1248
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0188f4bb-870b-4299-bf10-22b2001dc962.vbs"
              5⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1104
              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
                C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1652
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a097a57-80df-40a2-af6f-c2f432e10985.vbs"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\security\logs\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\security\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9b" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9b" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe

      Filesize

      1.1MB

      MD5

      7ea09c9a4b86114d8aab3a82d58ee7c1

      SHA1

      d440f0374e7be38794d5a17b882329c0acea186f

      SHA256

      eb105426f3cbdd1e791709e7f2c36654a40820a73376558840da35b9c5c56c92

      SHA512

      0b1218986f4520889dc7157ce139035be2a1ca1bd6f3d057c56c75a16b53177fb583d66df2c0b6025d9c0c84551071ddf84d247b44963151cf79b112a0c95e0a

    • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

      Filesize

      1.1MB

      MD5

      2e7e0f18bb6283d0f36762b8ccb7296f

      SHA1

      66c48d4bec9a6f926bf0521907a7d018c3c8e8f6

      SHA256

      deae2afc30db6f5c0fa80a742be75e3dcbd6eb19e50700f972be658d9d1927aa

      SHA512

      e71d75827450a863c2a84b7d16b25df654ea49153e502cffb9a530e2112d51026629e032ed28f88ce4520ee06fff52922ab3bdf9fd3fd17fca9604ab2e832039

    • C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe

      Filesize

      1.1MB

      MD5

      c479b0be80d7bed69cd64efaa231e575

      SHA1

      216f49c3751db57a49d8083741fc2d3115b839e3

      SHA256

      981436c685baf6183600168cd0757fa0d06ae888d2e766b089873d8bca0da263

      SHA512

      157ce4cdea7afeada8ae0228629ac9c59ad18f4d6fd7f7bf677c61f13dd8430ec0f16388400f7cf88c4db22255b99ea7087e898c038ea62e99bfba4a3503adf6

    • C:\Program Files\Reference Assemblies\Microsoft\smss.exe

      Filesize

      1.1MB

      MD5

      a3fdd29e23d9d4ab8ccba1158e94729f

      SHA1

      e84fe1796b6524b027493c0efaee47eb6c963392

      SHA256

      bbb782aeb66043c4db57872024154954b430fe9c8b7bf39ba7e88ce1c7c976bf

      SHA512

      d6e2faa45fbfe30c05b57f86da97c024ff503c4fe04d7811373353407f1c1a9a21ed69f64421727cd8fd6892656f99d8384e121a763ca1b2dd7fd33a74d9e12e

    • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe

      Filesize

      1.1MB

      MD5

      b8da80bdfe6252c354345441684b6151

      SHA1

      040dcd00ac82eb3add9bd49bc9c2c773093cdd07

      SHA256

      b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9

      SHA512

      da03b9665eb425db14c28ddc631a3cda5425ed140d2bae37b08a8c9f8e6208a45072be53d8b02b4e15bab53fa439e46d27c0a2681f3c94d1b3ae47de37e5a7e6

    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe

      Filesize

      1.1MB

      MD5

      06f664a34b23a33e2afafe88cf377d6f

      SHA1

      a00646141499391dbbc15b0fa0d675889a427a4d

      SHA256

      90a176c904a28fcaab9b3e4265e05d6edd05d683e9234de7bbb88a50d7feba6f

      SHA512

      1130d8dc7938f9558ed27347eb1ed88a1fc0f05c3a8dbf4ce88fc3d4a60214999061861c9866b01cfc0221fdfd9e5fa992a02ef69434e1c5d35c91758f0f1988

    • C:\Users\Admin\AppData\Local\Temp\0188f4bb-870b-4299-bf10-22b2001dc962.vbs

      Filesize

      737B

      MD5

      f11d0f66dec03a96b576970bfbdc770e

      SHA1

      1adb60f9dda35472b2cc33d66d91b28c73203b47

      SHA256

      e02fc80ca861ee9f9881e9aca235b440820eb1aded65dace98f90e88b43f2baf

      SHA512

      2ea0e7d56a0ab8a5d8b80a7deb9ffa89832a7328e6b1883fbf5bb871457b90cbb18cbb4edcc46f25ceaa3eb0da2ebf0bff4e5d64c1e857991dc4413fd6ea9cbc

    • C:\Users\Admin\AppData\Local\Temp\6a097a57-80df-40a2-af6f-c2f432e10985.vbs

      Filesize

      513B

      MD5

      d99f90ec570dc923710d4575c6e1dbd8

      SHA1

      cda2ac4a3b600ba7ff434b007cb6443264b42547

      SHA256

      5d533b8de1873f7c8a3f30ca2c2662427ab78c91a2ab8397547e846da274b7e3

      SHA512

      1c9dd3997dea322417a63d914c57d01841aafc71c1646d8aaab6e0eeb0187c96d3676609a7705b304441c468758d5868c019995e7af6cf26a5ffdca436754559

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      f138c16245380186a5abf99d863465bc

      SHA1

      12db3095dbfbc2f0ea87a2b8f6b0918ae446f64b

      SHA256

      1d729b12a0167c90f72bea03fa6df6f033893cc3803bd47077e4485c98a9e816

      SHA512

      7467518102235cdef34a789309649c213c9b500aea6649c7081ff7c03012f20161b2387c381c0652f4ebd3597683f3c496133d8c79bd8784e611124fdeef1601

    • C:\Windows\Vss\spoolsv.exe

      Filesize

      1.1MB

      MD5

      b9fff629ee386d8f49a979ad93d35d16

      SHA1

      d623e45eb353de6acef89757667920f991d8a46b

      SHA256

      3d3ff322d111ac2a186118983d3e24d60cc5828909cf50dc9f66f7bdd2ba9238

      SHA512

      8d7a740186ad79c9260735535b3aa1b54f1aebd8f88955ba8136bef81f5ca80618c31d93ad564213ed89860457db7a85730cfc5be7cf779a3c5bd455522439e7

    • memory/1248-364-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1560-354-0x0000000000890000-0x00000000009BC000-memory.dmp

      Filesize

      1.2MB

    • memory/1652-380-0x0000000000E20000-0x0000000000F4C000-memory.dmp

      Filesize

      1.2MB

    • memory/1764-20-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/1764-0-0x000000007445E000-0x000000007445F000-memory.dmp

      Filesize

      4KB

    • memory/1764-1-0x0000000001370000-0x000000000149C000-memory.dmp

      Filesize

      1.2MB

    • memory/1764-2-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/1764-3-0x00000000002C0000-0x00000000002D2000-memory.dmp

      Filesize

      72KB

    • memory/1764-4-0x000000007445E000-0x000000007445F000-memory.dmp

      Filesize

      4KB

    • memory/1764-5-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/1764-6-0x0000000005900000-0x00000000059F6000-memory.dmp

      Filesize

      984KB

    • memory/1764-7-0x0000000005F60000-0x000000000608E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-24-0x00000000008F0000-0x0000000000906000-memory.dmp

      Filesize

      88KB

    • memory/2856-11-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-27-0x00000000005D0000-0x00000000005DC000-memory.dmp

      Filesize

      48KB

    • memory/2856-28-0x00000000005E0000-0x00000000005EA000-memory.dmp

      Filesize

      40KB

    • memory/2856-29-0x00000000005F0000-0x00000000005FE000-memory.dmp

      Filesize

      56KB

    • memory/2856-30-0x0000000000600000-0x000000000060C000-memory.dmp

      Filesize

      48KB

    • memory/2856-31-0x0000000000E70000-0x0000000000E7A000-memory.dmp

      Filesize

      40KB

    • memory/2856-32-0x0000000000E90000-0x0000000000E9C000-memory.dmp

      Filesize

      48KB

    • memory/2856-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2856-14-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-164-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/2856-26-0x0000000000E50000-0x0000000000E62000-memory.dmp

      Filesize

      72KB

    • memory/2856-19-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/2856-16-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-203-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/2856-18-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-25-0x0000000000B10000-0x0000000000B20000-memory.dmp

      Filesize

      64KB

    • memory/2856-23-0x0000000000650000-0x0000000000660000-memory.dmp

      Filesize

      64KB

    • memory/2856-22-0x0000000000630000-0x000000000064C000-memory.dmp

      Filesize

      112KB

    • memory/2856-355-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/2856-21-0x0000000074450000-0x0000000074B3E000-memory.dmp

      Filesize

      6.9MB

    • memory/2856-8-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-9-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

    • memory/2856-10-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB