Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 17:39

General

  • Target

    0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe

  • Size

    1.8MB

  • MD5

    a1b557c65fa59d8f91138e5cd4f0053e

  • SHA1

    94139bac4ae269f6d38f5c7946475855a71c659d

  • SHA256

    0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126

  • SHA512

    bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee

  • SSDEEP

    49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMhX:mgVTVXYNX9mOWSkMp

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 18 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe
    "C:\Users\Admin\AppData\Local\Temp\0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\attachments\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4YhpUhHpv9.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2044
        • C:\Users\Default User\csrss.exe
          "C:\Users\Default User\csrss.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2544
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f74becb9-a95a-4017-8bb7-c39c6caa88f7.vbs"
            4⤵
              PID:2784
              • C:\Users\Default User\csrss.exe
                "C:\Users\Default User\csrss.exe"
                5⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:1804
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\843e44c3-bf0e-4fc5-a89f-b6078ead0e57.vbs"
                  6⤵
                    PID:2320
                    • C:\Users\Default User\csrss.exe
                      "C:\Users\Default User\csrss.exe"
                      7⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • System policy modification
                      PID:2140
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\126dda93-e2c3-4afc-8abf-466ec481278c.vbs"
                        8⤵
                          PID:2844
                          • C:\Users\Default User\csrss.exe
                            "C:\Users\Default User\csrss.exe"
                            9⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • System policy modification
                            PID:1088
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d23f34c8-3a1b-4235-b093-65628362c6d4.vbs"
                              10⤵
                                PID:2664
                                • C:\Users\Default User\csrss.exe
                                  "C:\Users\Default User\csrss.exe"
                                  11⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:836
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f3ddfa8-2397-451f-8022-cc90b236d9fb.vbs"
                                    12⤵
                                      PID:2612
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b1f97bd-a044-4898-b3c3-7ecc401de511.vbs"
                                      12⤵
                                        PID:2972
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4e4ef35-9f67-42e4-9a2f-cca845915bf1.vbs"
                                    10⤵
                                      PID:584
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894d5b64-5b41-49f8-940c-04c2578510c6.vbs"
                                  8⤵
                                    PID:2776
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfdfcb8-24cb-4373-a809-3fac47e2b291.vbs"
                                6⤵
                                  PID:1928
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcbd567-d230-4703-9261-bcab3b292b2d.vbs"
                              4⤵
                                PID:2156
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2656
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2772
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1980
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2664
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2708
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2948
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1544
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1732
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2432
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1664
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2728
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2176
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:600
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2896
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2892
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:3004
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:988
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2020
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1920
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2252
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2284
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\attachments\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:320
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1152
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:900
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1600
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2172
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2388
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2120
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2096
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2512
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1056
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2312
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1916
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1376
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2588
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:916
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:952
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2404
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1772
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:664
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1712
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1040
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1756
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2368
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1988
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\lsass.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2240
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:2608
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1380
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1632
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1992
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Scheduled Task/Job: Scheduled Task
                          PID:1784

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files (x86)\Uninstall Information\explorer.exe

                          Filesize

                          1.8MB

                          MD5

                          a1b557c65fa59d8f91138e5cd4f0053e

                          SHA1

                          94139bac4ae269f6d38f5c7946475855a71c659d

                          SHA256

                          0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126

                          SHA512

                          bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee

                        • C:\Users\Admin\AppData\Local\Temp\126dda93-e2c3-4afc-8abf-466ec481278c.vbs

                          Filesize

                          707B

                          MD5

                          ebe24885bf35b68c68cb243996ca098a

                          SHA1

                          50fd0e68580508af87279f0057f1dcf265b2d12b

                          SHA256

                          717f4cab1fca261748735dbf6356fde81de4d0378bcf72434c4cdd0a5e4fe4de

                          SHA512

                          d418ac6fa4d97dbe0360a6157b47b68df4796023c6f998cb96fe93524c2f92371c4fc7491371e8787ed6b7a08b57808303a66b7c67238e9cc604b922b63175d4

                        • C:\Users\Admin\AppData\Local\Temp\2f3ddfa8-2397-451f-8022-cc90b236d9fb.vbs

                          Filesize

                          706B

                          MD5

                          f4e8b5e9deb9f2b8398c60b6198f7e7a

                          SHA1

                          dac4609e6ee013d953e3840f742e76e54d208331

                          SHA256

                          1bc0bed8ca7e39522f167f874fd4e330220ad283857cfa54abb38f52a5036f55

                          SHA512

                          53cb474e78f5f4283079807ce4bd9d05eb18965ef8588c9c471e85974186dc90c8b64f3aba5c514609a3f3bbe74f163f56ea0d9a15b8711e818653d9a4e668e9

                        • C:\Users\Admin\AppData\Local\Temp\4YhpUhHpv9.bat

                          Filesize

                          196B

                          MD5

                          f6f6b7efae7e4b8bbfd7b8bc9557b183

                          SHA1

                          6b90e77fad395261ebcdd848059b52235551a038

                          SHA256

                          7e26d4a5a16ebe59a24b90096cea6c355698b8d34bc119bc30178b129df36140

                          SHA512

                          44787ac780ad3679338243565b8cb163f81f380a15c0262a0d8fa5f4fcd6b40f36bb253a3a88a8347c010162b1fda59032b17b39602ba1d43d31edb3ea49d6ea

                        • C:\Users\Admin\AppData\Local\Temp\6bcbd567-d230-4703-9261-bcab3b292b2d.vbs

                          Filesize

                          483B

                          MD5

                          09979966093be0c3dd8ad9eaa8055b7b

                          SHA1

                          62bf1cf05c442569c7fa7f770b049dfd8916892c

                          SHA256

                          5a01e9394156f47285bc9b4ae9dcda3efd0bf9e18aa5471a8973c365660c263b

                          SHA512

                          d51716bf3e9949520c3368c366c2a7f6a7f12b4fe29c1dbafd418e5182d60a9de169d30d1ab748436ff02975803d2ee1bc985eb9fd8ceddea57561826a9af74c

                        • C:\Users\Admin\AppData\Local\Temp\843e44c3-bf0e-4fc5-a89f-b6078ead0e57.vbs

                          Filesize

                          707B

                          MD5

                          83a7116b7e5136571cf7243e2171f660

                          SHA1

                          ecd53c42c99cef99354fbac71df88b3d1dcb4b99

                          SHA256

                          87de95b09b9ef601cbc11c1fa0531180856d6e6ed11ddb8ace79241943582cca

                          SHA512

                          0721b22902d67d325f1bbb2538f79473cfe0557824ab66603d0d561224f6a7bc2ac72741c72a4eef195c3944256914f0543758106fb01bf7738da9948c4410dc

                        • C:\Users\Admin\AppData\Local\Temp\d23f34c8-3a1b-4235-b093-65628362c6d4.vbs

                          Filesize

                          707B

                          MD5

                          d71cf5a7fea2a1faaf28fafaf36639c8

                          SHA1

                          02610925e1d0a59722c3da9f8b10b3b157f1269f

                          SHA256

                          7793c448a8a0e4ed111b2c5d4e746f0c77ccbf7fb456170de0d7fd220e5a4306

                          SHA512

                          4e48d0bdd5b4c1aa97d015c9815e6df3a97c30151a7762f92408df4e6541626c3d199ed93f1c6ef0593f9a4a06080514a602487158dccdf1c1b7cf49492d6782

                        • C:\Users\Admin\AppData\Local\Temp\f74becb9-a95a-4017-8bb7-c39c6caa88f7.vbs

                          Filesize

                          707B

                          MD5

                          0b47a46365de0297a45abe44682ccd08

                          SHA1

                          d4460f1984be5ab378495b72c2fa5b856054d999

                          SHA256

                          6e94f3da92efb97285c1b5c1661e150e7745e69d730be2f0dd2413305cd5b97c

                          SHA512

                          19f4eab23dd52e2d30c28279cc31565834e039281ad2a26844997f4f3563d402f05ea91ac0042564ea2903fc6843dec64a0fa22fd219e0cb55392364c5594da4

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                          Filesize

                          7KB

                          MD5

                          4a5b1c09400837834dd9d76eac9c1865

                          SHA1

                          1bd4439fe4982a70346f82931c6dd5088b3c4d56

                          SHA256

                          63783aaec3e2acd73828e3a08ce7304a41ba9842a33d3e900e3b54529ae0e934

                          SHA512

                          b197f686197a59e395331422f97232cab6eb594ed264fa80d50f65a92e5725cc5133aa0804a20db1c3620e76f033e2dc1fcd0085495b620d0a746ea413fbbf6c

                        • memory/316-193-0x000000001B700000-0x000000001B9E2000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/836-318-0x0000000000280000-0x0000000000292000-memory.dmp

                          Filesize

                          72KB

                        • memory/1088-306-0x00000000004D0000-0x00000000004E2000-memory.dmp

                          Filesize

                          72KB

                        • memory/1696-194-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1804-280-0x00000000012A0000-0x000000000146E000-memory.dmp

                          Filesize

                          1.8MB

                        • memory/1804-281-0x0000000000590000-0x00000000005A2000-memory.dmp

                          Filesize

                          72KB

                        • memory/1804-282-0x0000000000A10000-0x0000000000A22000-memory.dmp

                          Filesize

                          72KB

                        • memory/2124-9-0x00000000004B0000-0x00000000004BA000-memory.dmp

                          Filesize

                          40KB

                        • memory/2124-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

                          Filesize

                          4KB

                        • memory/2124-154-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2124-15-0x0000000000540000-0x000000000054C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2124-14-0x0000000000530000-0x000000000053C000-memory.dmp

                          Filesize

                          48KB

                        • memory/2124-195-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2124-13-0x0000000000510000-0x000000000051E000-memory.dmp

                          Filesize

                          56KB

                        • memory/2124-12-0x0000000000500000-0x000000000050E000-memory.dmp

                          Filesize

                          56KB

                        • memory/2124-1-0x0000000000A00000-0x0000000000BCE000-memory.dmp

                          Filesize

                          1.8MB

                        • memory/2124-11-0x00000000004F0000-0x00000000004FA000-memory.dmp

                          Filesize

                          40KB

                        • memory/2124-10-0x00000000004C0000-0x00000000004D2000-memory.dmp

                          Filesize

                          72KB

                        • memory/2124-140-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

                          Filesize

                          4KB

                        • memory/2124-8-0x00000000004A0000-0x00000000004B0000-memory.dmp

                          Filesize

                          64KB

                        • memory/2124-7-0x0000000000490000-0x00000000004A2000-memory.dmp

                          Filesize

                          72KB

                        • memory/2124-6-0x0000000000470000-0x0000000000486000-memory.dmp

                          Filesize

                          88KB

                        • memory/2124-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2124-4-0x0000000000140000-0x0000000000148000-memory.dmp

                          Filesize

                          32KB

                        • memory/2124-5-0x0000000000460000-0x0000000000470000-memory.dmp

                          Filesize

                          64KB

                        • memory/2124-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

                          Filesize

                          112KB

                        • memory/2140-294-0x0000000000280000-0x0000000000292000-memory.dmp

                          Filesize

                          72KB

                        • memory/2544-269-0x0000000000BD0000-0x0000000000D9E000-memory.dmp

                          Filesize

                          1.8MB