Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 22:14

General

  • Target

    04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe

  • Size

    4.9MB

  • MD5

    ad6f5a9d1be209b53e4ea1e256a259b0

  • SHA1

    03da3df7b5d92d7c298e7c7fc9965f140f13000e

  • SHA256

    04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3

  • SHA512

    24bf284ce56fef4e52278ee6a4c85f27e6d754ff99c1858089c4c70fbca947bdc4e630b096ec29d74dc93eec4734bfc409a8d8837762c2754d8b665ab4258e88

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • UAC bypass 3 TTPs 27 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 18 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe
    "C:\Users\Admin\AppData\Local\Temp\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UDcpHa0YgN.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:952
        • C:\Users\Admin\Downloads\sppsvc.exe
          "C:\Users\Admin\Downloads\sppsvc.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:696
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9d5fb54-84f3-4902-a68f-1f5846ab4211.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Users\Admin\Downloads\sppsvc.exe
              C:\Users\Admin\Downloads\sppsvc.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1072
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e74207d-f7c8-4abb-a0c5-c3240e7894b7.vbs"
                6⤵
                  PID:1312
                  • C:\Users\Admin\Downloads\sppsvc.exe
                    C:\Users\Admin\Downloads\sppsvc.exe
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2476
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c64755a-7df3-4da1-a7ef-544ddc49c165.vbs"
                      8⤵
                        PID:2916
                        • C:\Users\Admin\Downloads\sppsvc.exe
                          C:\Users\Admin\Downloads\sppsvc.exe
                          9⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2324
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb33ab54-0383-4620-aebc-e1ce35f55c10.vbs"
                            10⤵
                              PID:2752
                              • C:\Users\Admin\Downloads\sppsvc.exe
                                C:\Users\Admin\Downloads\sppsvc.exe
                                11⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2036
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe69088-bef3-4092-8fae-df1c0eee2603.vbs"
                                  12⤵
                                    PID:2424
                                    • C:\Users\Admin\Downloads\sppsvc.exe
                                      C:\Users\Admin\Downloads\sppsvc.exe
                                      13⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:2204
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648e675a-8bd2-4bc3-a1d3-22199241953b.vbs"
                                        14⤵
                                          PID:2152
                                          • C:\Users\Admin\Downloads\sppsvc.exe
                                            C:\Users\Admin\Downloads\sppsvc.exe
                                            15⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:1688
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab848bcb-3a1c-4f77-b23c-443d988c69f8.vbs"
                                              16⤵
                                                PID:1192
                                                • C:\Users\Admin\Downloads\sppsvc.exe
                                                  C:\Users\Admin\Downloads\sppsvc.exe
                                                  17⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:2884
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79a9795a-76db-4a6f-88ba-2808ee5b262b.vbs"
                                                    18⤵
                                                      PID:1616
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd7b182-b31e-4bc1-97bf-1a6e4b26f95c.vbs"
                                                      18⤵
                                                        PID:2028
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8771af0-e8f4-4e4a-a2c5-ce467911f210.vbs"
                                                    16⤵
                                                      PID:2836
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e74953d-62db-4aad-9136-8857f43251e0.vbs"
                                                  14⤵
                                                    PID:1084
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff5562a8-6e77-4c37-b7db-085690ccc87a.vbs"
                                                12⤵
                                                  PID:2856
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a26fe279-fb3a-4d6d-947a-a3edd53a81b4.vbs"
                                              10⤵
                                                PID:2740
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d616968a-26af-40e9-ae0c-7bb35882edc2.vbs"
                                            8⤵
                                              PID:2108
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9cb7fa-a7fe-401c-80bb-c7d781ec072d.vbs"
                                          6⤵
                                            PID:3040
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a15ec85-3acd-4068-bb2a-4ee8cb055850.vbs"
                                        4⤵
                                          PID:772
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2592
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2628
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2316
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2476
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:332
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1072
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2848
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:560
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2372
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2384
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1640
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2296
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3024
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2940
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2980
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N0" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3016
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2644
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N0" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2836
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3040
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3032
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1584
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1244
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1312
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2108
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2172
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2196
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1168
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2428
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2248
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\it-IT\winlogon.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:548
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1976
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1416
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1592
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1620
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2464

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe

                                    Filesize

                                    4.9MB

                                    MD5

                                    ad6f5a9d1be209b53e4ea1e256a259b0

                                    SHA1

                                    03da3df7b5d92d7c298e7c7fc9965f140f13000e

                                    SHA256

                                    04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3

                                    SHA512

                                    24bf284ce56fef4e52278ee6a4c85f27e6d754ff99c1858089c4c70fbca947bdc4e630b096ec29d74dc93eec4734bfc409a8d8837762c2754d8b665ab4258e88

                                  • C:\Users\Admin\AppData\Local\Temp\3c64755a-7df3-4da1-a7ef-544ddc49c165.vbs

                                    Filesize

                                    711B

                                    MD5

                                    63f2dd07e787cefde9a3cc6eb526ccf2

                                    SHA1

                                    a80f304b44f5cf0c743c723904c1a92d90f1b1cb

                                    SHA256

                                    b196181c284f6126df1b5b2d607cedbf52915b15a306098a7c7411dde4d085ee

                                    SHA512

                                    9a1304b19a63450bf28fade95b5be53534077b2d417e74c5961f30515bea9da9259e9f0a1f07c6d01e8657af5f7b66cc8cfd4f45f82cf31c60cceb964cab54f0

                                  • C:\Users\Admin\AppData\Local\Temp\5a15ec85-3acd-4068-bb2a-4ee8cb055850.vbs

                                    Filesize

                                    487B

                                    MD5

                                    b1e2955ff1bdf3c4d35e913243fa4867

                                    SHA1

                                    05907beb83c195f8b35449a53facadb030aebaf6

                                    SHA256

                                    f1995baacf36e3cdf41bd5b9631dcb3374069d173417e3eea3c63e7d36a95263

                                    SHA512

                                    3e2c306490b8c4a31f73a25946e86fd6bdb66f68fd89e45f1aa480420593f9bc904a4f0becf3eeed21db4a15f183b1a60fad1b4827cf95b9d94e76b309ee84c8

                                  • C:\Users\Admin\AppData\Local\Temp\648e675a-8bd2-4bc3-a1d3-22199241953b.vbs

                                    Filesize

                                    711B

                                    MD5

                                    dbc2cce0be033eb1f8c44082f47d3019

                                    SHA1

                                    4f20e811db39024378916ee7f67416c7c79df405

                                    SHA256

                                    63bc92d827adeb8b493059426b2618263ecc2b25b02cfe9f60b5d5055f338800

                                    SHA512

                                    973763255ed00a741b358faa70427e8820063d93f8afe33152f2845314bb61c3be7aaa59f0d93ef6e9f5a2dee027d01c5df8d8bc46949960796e4e2b23334b06

                                  • C:\Users\Admin\AppData\Local\Temp\79a9795a-76db-4a6f-88ba-2808ee5b262b.vbs

                                    Filesize

                                    711B

                                    MD5

                                    912f125ae1aafcf80e310d32040478c2

                                    SHA1

                                    b3a4d400bcaa69757684fc6efa283b623f474f98

                                    SHA256

                                    01dc6a12dd38823233220fcbef4ef0812112e3d8469331f57334ea5bb162e0c5

                                    SHA512

                                    4b801e255f4b6b38087316fc26006f99c5b5126fc386d20190b57c6eb662947d23c6c82582dcf48ea9b6844d492395affcb2b8396d27b05f7ec74a180a9ae9c5

                                  • C:\Users\Admin\AppData\Local\Temp\7e74207d-f7c8-4abb-a0c5-c3240e7894b7.vbs

                                    Filesize

                                    711B

                                    MD5

                                    e21d49538579b667b18f6430ee1ac9ab

                                    SHA1

                                    9cdce9596d69f81da8f5a3c5fbe4c89ad17da897

                                    SHA256

                                    7672b0584ed917ddeb2fcee8332f79650cf28775a40b2efdf05f76e995b7a609

                                    SHA512

                                    017cba86858ae230c806083499bc1bd207dd407b59cae2c25025dca928e527ee49ea96e22a79511bd9ff0e5fb9b9a90bdfc4247f3e64bffaa88ff995cf309287

                                  • C:\Users\Admin\AppData\Local\Temp\UDcpHa0YgN.bat

                                    Filesize

                                    200B

                                    MD5

                                    bc543e2f97cd584ad7b728fe30ac2bc8

                                    SHA1

                                    66664d1728ad3803c58d0fd80d3848a82e5ac265

                                    SHA256

                                    f881300ef03ba2c79af859a581f2b6fb6d106832714b4ce5e403c367f022fb02

                                    SHA512

                                    a097f371304d67f79b170e47bdb5216bb8df976dd875f75c689d474fd63588ed9eebeb666a5f97612e09fc320e17233d0f6e5d79b2057c741a65f9fe3fdea171

                                  • C:\Users\Admin\AppData\Local\Temp\a9d5fb54-84f3-4902-a68f-1f5846ab4211.vbs

                                    Filesize

                                    710B

                                    MD5

                                    657f7a3867ef4e5059a8b79f1ab120cd

                                    SHA1

                                    d6a0aaf32741d158357da6e3cbb3aa6669c6b684

                                    SHA256

                                    ff0b8dd2b65ecd40cb938549fc4ae5a4de3069e19e4f0013e28f8c199e95f67f

                                    SHA512

                                    39320c7a132f757d6eea29b161ccae6d251b7be803e47cdda878d2beae41861aacf4f31a834451c6618e09734f02390c0a7ebcee2d85bef2b967ee3188068958

                                  • C:\Users\Admin\AppData\Local\Temp\ab848bcb-3a1c-4f77-b23c-443d988c69f8.vbs

                                    Filesize

                                    711B

                                    MD5

                                    0221dc7bca504618016de20b77693920

                                    SHA1

                                    99276e261624bf1e02500d2229584f419865a9d8

                                    SHA256

                                    7dd12f2b7aef7f51ac56b2fcd3911b91d41b6a67a62a8fbb78f422f03b8e3aff

                                    SHA512

                                    cade7f1c1297791ecb92e29241cb1a7fe29e79155e8b898f88b0d06e6de2d02271eee84232c4bc55b9f15fe49212f80cbe95d80a62249b81cc09fdd006be8703

                                  • C:\Users\Admin\AppData\Local\Temp\afe69088-bef3-4092-8fae-df1c0eee2603.vbs

                                    Filesize

                                    711B

                                    MD5

                                    e36142803179d73eee3bdf88f234e3f8

                                    SHA1

                                    89e387a9543c78b0043e714c37302c695672927c

                                    SHA256

                                    887b45b6c8b0895b38f9a7322e4e830f89661aa388c6c90dcbf1579933a1b10e

                                    SHA512

                                    5da7cd5596b2fc146ca2978309999c3679de8cbfc216cf712d4ff85eea01b4e7d2d5700c4c1456d1da8dfb4ebb8372bb6159861512508a7a31d5da9987941b87

                                  • C:\Users\Admin\AppData\Local\Temp\eb33ab54-0383-4620-aebc-e1ce35f55c10.vbs

                                    Filesize

                                    711B

                                    MD5

                                    c2df367f50c64a65a8db8ce8a7f8407e

                                    SHA1

                                    47ea62922b31733d6e84c0183b3bec5adb6e7853

                                    SHA256

                                    3606ecaf0ecac1cc96f55b3888f951dd966e57c3cba717ed2e6eefb7f20ce8a7

                                    SHA512

                                    815a94eb60f1742b7bdc58031ca6faa6cd374c674c706bac7cb753f1bb4a6b4b5a549e4661293fbd533dde9dbec2731fe341ca6380bfe21d63a2a68ff2d5ca78

                                  • C:\Users\Admin\AppData\Local\Temp\tmpB6C1.tmp.exe

                                    Filesize

                                    75KB

                                    MD5

                                    e0a68b98992c1699876f818a22b5b907

                                    SHA1

                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                    SHA256

                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                    SHA512

                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                    Filesize

                                    7KB

                                    MD5

                                    0204930c47ef6888cb7680a4350fba32

                                    SHA1

                                    47f37189735fae7307f84b52d1d7db7cf250d4df

                                    SHA256

                                    a1ec322f91d0508c80f76447b37aa961b41d2de326837df704bb7aecb0d7c9f5

                                    SHA512

                                    379a83ba43be0f71223a5b58a2803512904a3d62fc92c51525bcc575339ee145bb0ce26237174ba90312920951c43e62d81168f3bba25b376876bbdf226674b6

                                  • memory/696-195-0x0000000000070000-0x0000000000564000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/1072-209-0x0000000001390000-0x0000000001884000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/1524-151-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/1524-144-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                    Filesize

                                    2.9MB

                                  • memory/1688-286-0x0000000000D60000-0x0000000000D72000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2036-255-0x00000000011C0000-0x00000000016B4000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2036-256-0x0000000000B50000-0x0000000000B62000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2204-271-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2324-240-0x00000000006B0000-0x00000000006C2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2324-239-0x0000000000EC0000-0x00000000013B4000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2476-224-0x0000000000200000-0x00000000006F4000-memory.dmp

                                    Filesize

                                    5.0MB

                                  • memory/2784-9-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2784-5-0x0000000000420000-0x0000000000428000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2784-6-0x0000000000C00000-0x0000000000C10000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2784-15-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2784-7-0x0000000000C90000-0x0000000000CA6000-memory.dmp

                                    Filesize

                                    88KB

                                  • memory/2784-12-0x0000000000D70000-0x0000000000D7E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2784-8-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2784-14-0x0000000000E90000-0x0000000000E98000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2784-138-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2784-10-0x0000000000D50000-0x0000000000D62000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2784-13-0x0000000000E80000-0x0000000000E8E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2784-11-0x0000000000D60000-0x0000000000D6A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/2784-4-0x0000000000BE0000-0x0000000000BFC000-memory.dmp

                                    Filesize

                                    112KB

                                  • memory/2784-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2784-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2784-16-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2784-3-0x000000001B500000-0x000000001B62E000-memory.dmp

                                    Filesize

                                    1.2MB

                                  • memory/2784-1-0x0000000000FC0000-0x00000000014B4000-memory.dmp

                                    Filesize

                                    5.0MB