Overview

overview

10

Static

static

10

a200ccdf59...cb.exe

windows7-x64

1

a200ccdf59...cb.exe

windows10-2004-x64

1

a24432a439...39.exe

windows7-x64

1

a24432a439...39.exe

windows10-2004-x64

1

a261b01eac...35.exe

windows7-x64

10

a261b01eac...35.exe

windows10-2004-x64

10

a277e4ef19...9e.exe

windows7-x64

10

a277e4ef19...9e.exe

windows10-2004-x64

10

a2c94b5453...64.exe

windows7-x64

7

a2c94b5453...64.exe

windows10-2004-x64

7

a2e433f395...34.exe

windows7-x64

10

a2e433f395...34.exe

windows10-2004-x64

10

a2fad1a052...95.exe

windows7-x64

10

a2fad1a052...95.exe

windows10-2004-x64

10

a30ce01ad9...4d.exe

windows7-x64

7

a30ce01ad9...4d.exe

windows10-2004-x64

7

a31ba0b291...4c.exe

windows7-x64

10

a31ba0b291...4c.exe

windows10-2004-x64

10

a340d849cc...86.exe

windows7-x64

10

a340d849cc...86.exe

windows10-2004-x64

10

a34ed8c989...d1.exe

windows7-x64

10

a34ed8c989...d1.exe

windows10-2004-x64

10

a39a36bdb6...eb.exe

windows7-x64

10

a39a36bdb6...eb.exe

windows10-2004-x64

10

a3a42aeb37...7f.exe

windows7-x64

10

a3a42aeb37...7f.exe

windows10-2004-x64

10

a3a62b600d...4c.exe

windows7-x64

10

a3a62b600d...4c.exe

windows10-2004-x64

10

a3bf76de64...be.exe

windows7-x64

10

a3bf76de64...be.exe

windows10-2004-x64

10

a3d1683844...56.exe

windows7-x64

10

a3d1683844...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a31ba0b291554684b4a097371669bc4c.exe

  • Size

    1.9MB

  • MD5

    a31ba0b291554684b4a097371669bc4c

  • SHA1

    0a5034d116b71c1a99879ef632962026b5b774aa

  • SHA256

    0bfce2cf34dbbf853a1171acf4ac9e2802d3e67285222bcf8d43dffec50b6593

  • SHA512

    8d8c96ad82f63aa8f7f3345d3905f5eff42cc3d8b50822036e128b9f886777cf475962161c3c308ee4867b05a5ef05b52d68be3e317b6a9505029c4f03547c67

  • SSDEEP

    24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score
10/10
defense_evasionexecutiontrojan

Malware Config

Signatures

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 24 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a31ba0b291554684b4a097371669bc4c.exe
    "C:\Users\Admin\AppData\Local\Temp\a31ba0b291554684b4a097371669bc4c.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a31ba0b291554684b4a097371669bc4c.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\a31ba0b291554684b4a097371669bc4c.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\a31ba0b291554684b4a097371669bc4c.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
      "C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2424
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b11c6d8-761e-45cc-9a97-bf39977b7d6c.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
          C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1920
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae6d3b62-d323-452f-9788-f3541f1aafd5.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
              C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2320
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeb605bd-9372-4e50-9d9d-6dcd5ff924c1.vbs"
                7⤵
                  PID:2276
                  • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                    C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:896
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ade3b8d-de11-4aa1-8eba-b11b0619a1e4.vbs"
                      9⤵
                        PID:1636
                        • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                          C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                          10⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:876
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5260ba-f943-4616-92e9-494fc1871c05.vbs"
                            11⤵
                              PID:328
                              • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                                C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                                12⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2344
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86fc4522-d836-4517-9cbf-2e506d1c88a1.vbs"
                                  13⤵
                                    PID:2064
                                    • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                                      C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                                      14⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:1972
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\893f25d4-41f0-46b2-a6f3-519a0a6449bb.vbs"
                                        15⤵
                                          PID:1840
                                          • C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                                            C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe
                                            16⤵
                                              PID:2644
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45ec9ab7-a5b8-4b65-a2f9-e6c4ab84d7f2.vbs"
                                            15⤵
                                              PID:2352
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e8da815-a6e3-4a24-a1dd-a771345ef5b5.vbs"
                                          13⤵
                                            PID:1832
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25d54b14-6442-4e34-b64c-21d1fb7c37c6.vbs"
                                        11⤵
                                          PID:1776
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a839871d-10e2-48c1-8c6b-cfaccb7c5ec2.vbs"
                                      9⤵
                                        PID:1192
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3008413-16df-4f13-8f57-19e51cea850e.vbs"
                                    7⤵
                                      PID:3036
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b950a9-53f1-4314-92eb-92cb4746d2ed.vbs"
                                  5⤵
                                    PID:684
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c98a91b7-da69-4a02-8a49-4b37741a22fc.vbs"
                                3⤵
                                  PID:2316
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2804
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:3016
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2880
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2876
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2960
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2744
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4ca" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2600
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4c" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2620
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4ca" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\de-DE\a31ba0b291554684b4a097371669bc4c.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2676
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4ca" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\a31ba0b291554684b4a097371669bc4c.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2556
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4c" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\a31ba0b291554684b4a097371669bc4c.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2388
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4ca" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\a31ba0b291554684b4a097371669bc4c.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2904
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1012
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1388
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1932
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\smss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2668
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2848
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2992
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:3000
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2232
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2908
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:604
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1884
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2316
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4ca" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\a31ba0b291554684b4a097371669bc4c.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2080
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4c" /sc ONLOGON /tr "'C:\Users\Default\SendTo\a31ba0b291554684b4a097371669bc4c.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:952
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "a31ba0b291554684b4a097371669bc4ca" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\a31ba0b291554684b4a097371669bc4c.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1048
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2968
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:528
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2196
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2020
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:864
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1096
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2136
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1512
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:680
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1576
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2076
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1732

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\MSOCache\All Users\lsass.exe
                              Filesize

                              1.9MB

                              MD5

                              a31ba0b291554684b4a097371669bc4c

                              SHA1

                              0a5034d116b71c1a99879ef632962026b5b774aa

                              SHA256

                              0bfce2cf34dbbf853a1171acf4ac9e2802d3e67285222bcf8d43dffec50b6593

                              SHA512

                              8d8c96ad82f63aa8f7f3345d3905f5eff42cc3d8b50822036e128b9f886777cf475962161c3c308ee4867b05a5ef05b52d68be3e317b6a9505029c4f03547c67

                              Download Submit

                            • C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe
                              Filesize

                              1.9MB

                              MD5

                              abf2c7e004ab22238ef78cb86dedb033

                              SHA1

                              6bdfbfe9e21f99d2ba51d92c62a5402d5cc8b39c

                              SHA256

                              d92cee1bf9648f5367b71375700a57164eff224aa44a1984d70ebfdb665970c3

                              SHA512

                              89442b8d554b75cc84b2842aa713a582eb51eb8a6791ad2465fc198e030630d046814ac4119bb39363240d05600069d9ea3a6c5b701c92bbb5e3aae47a496d19

                              Download Submit

                            • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
                              Filesize

                              1.9MB

                              MD5

                              d57a319ed48c91f3349d42cbb86e7121

                              SHA1

                              075005eed8e25bc290023f0f0518991e0340a95c

                              SHA256

                              b11f337f64f5e1a856dbb9cc9955080bd4e1cd234ad795eb4ba5fa02f085bd27

                              SHA512

                              c43c2e8a30dccc30f1e96f47d7cf2b344a6af77a18e434375e85456bf98dbca382fb19c7959405a0c7e9b2bd61ca82578064a947c30193bc584aada9abedcabc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\2f5260ba-f943-4616-92e9-494fc1871c05.vbs
                              Filesize

                              737B

                              MD5

                              87b961e6454d716fe205192f878a17d3

                              SHA1

                              538df56c032712b565b961ef009e0749defd96a9

                              SHA256

                              3a0c3dd6b3fadc04c0dcc65b79e28f916b1359f9327c2ece7bf6d2dd21e7a3e2

                              SHA512

                              5a246220c9cf92355216e35a63e50da992e3edebd01a30fbda42e1982414143e9fa6697cca14ce587580d48d3622213e5284ed42be6bda64784e5d81629680d3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\3b11c6d8-761e-45cc-9a97-bf39977b7d6c.vbs
                              Filesize

                              738B

                              MD5

                              617154d117f6ee0819527fbdeb06186c

                              SHA1

                              4fa0cfd26a055c9e7f4f7bc672df289b6ed4ade1

                              SHA256

                              39ad1967b4a34416cebf4d01c8903993cdccde9fc7ab10a7601136ca56f49437

                              SHA512

                              4b4b6fcf97ec0a9d010b13eb9d47149b887e6ed3aa538e22519532e1b8da3bd1644ec2a78d06bbe32192f788addb73fd31a51806d29e93a1b91becb32d25bd24

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\7ade3b8d-de11-4aa1-8eba-b11b0619a1e4.vbs
                              Filesize

                              737B

                              MD5

                              08faa5c42b7b9db2d6c479ce79e5e63c

                              SHA1

                              6c16d5e8e2ee2fb0e84a9800242610228bafb21a

                              SHA256

                              541da454a8c7729633d3b522465ebc604a977029bd16b207c844e818c1cd0883

                              SHA512

                              1f82bf3f14b79a93938a04759888d5c452c4058a3b5e19c2b951181ea3e0fa4766bdc561b1e4c78e535f3be29f6c6928a2d93cc7bbe0487c99797a271f10e545

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\86fc4522-d836-4517-9cbf-2e506d1c88a1.vbs
                              Filesize

                              738B

                              MD5

                              57fbc9d5e38215c3994c7868c2ddb685

                              SHA1

                              d73bacf21cbf6c809fb07e515ce94a78ebd5961e

                              SHA256

                              54b4fd8908e2506fb8676dcdcb2b2f779f7f8d08dcc8944995dcf4cffadacf5f

                              SHA512

                              55d09d6c9ea2223295396562bdc0e0034d341e2b826682ce1bc279188a4ce8cecf6c02cd4f467dca42c5a5d6051d4b1bb4206352978706037ba92dc59565471e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\893f25d4-41f0-46b2-a6f3-519a0a6449bb.vbs
                              Filesize

                              738B

                              MD5

                              81914fbb202fe0549d177239229bdfa2

                              SHA1

                              7a4eade13c6a8dfcf7e513d9d9badd9981a9e87f

                              SHA256

                              3f2371fcb0287ff4b274038b0d366b962272c3557c7104337f0502b64017d137

                              SHA512

                              cd4f017050a775136ead9dde8e5040b10d9e5086b675646804e7645d81b606cf57fafa878c6619339b5f49e838255b1caa28c7db86e8dfdb5ccb39a8688b07dc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\ae6d3b62-d323-452f-9788-f3541f1aafd5.vbs
                              Filesize

                              738B

                              MD5

                              97f446e482c6325d04a43a587bc9802d

                              SHA1

                              7a623482fb09b5fd8b0ab728b2fba28e29dd5465

                              SHA256

                              0d8a99df041832b9b42b3dcab1a9df9283d676adc19b1694c49006e5a8a90919

                              SHA512

                              dada30d47672159efbafcaba93045cab4e28022171aea27aa8aea99a27afda60b050495f01c9ca1e85aa7fbfdf79f562025dc16ceec8130312f45ae8cca39e4c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\c98a91b7-da69-4a02-8a49-4b37741a22fc.vbs
                              Filesize

                              514B

                              MD5

                              9801cb3dd217c2fcd1c92a9bc4b3cf43

                              SHA1

                              63c84783ab8126a6d19cdb7614ee51dcf5cc8818

                              SHA256

                              adf020bd92557df32eb6e2d4d9d1e09a8efbac64483c2053db7f53d1dd77440d

                              SHA512

                              b9450db1b97cbbaa7019d194cb3ae5165852048773c85722fa2251c31df56b122229389e3bfa3e60a20cf51bbd0f24ee89f731a150e12caec233edd38fc2ffeb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\eeb605bd-9372-4e50-9d9d-6dcd5ff924c1.vbs
                              Filesize

                              738B

                              MD5

                              72fb621f72d240b1ccad5833e92887ce

                              SHA1

                              6f74f6b1340e6975464e4312a1e8b881620b8d74

                              SHA256

                              4f07bc49410e040d854a046e18f64dae5987e8d8f12a11a97fdfaac26a2907db

                              SHA512

                              b77c94e42d916fd2cd996a5d2b678216a48c73b6097cde9247832d806accecd286c81dadba963ce018fdd6db73887a40cf033ad7170fe83b54afafcc1cb171b0

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                              Filesize

                              7KB

                              MD5

                              413acd96f25f9c60e04834bfa3980bf1

                              SHA1

                              10d81542e50add1a579ebb8c0766800c85b5e8a2

                              SHA256

                              3a4df99b84d280d379b9e8ba12457f59ef0f88c39af96ecc08abf735d05a63b5

                              SHA512

                              7935902d4710fedbfe6e980ab461ef9e3d4aa291aa0a8547397ef8d90d0ae66c0835345a4da43355ecb5c89db5f9fd5f482c7e145575daf882ec31a18b877f17

                              Download Submit

                            • memory/876-332-0x0000000001390000-0x000000000157A000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/876-333-0x00000000005C0000-0x00000000005D2000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/896-320-0x0000000000290000-0x000000000047A000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/1192-7-0x0000000000540000-0x000000000054A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/1192-18-0x0000000000F60000-0x0000000000F6C000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/1192-14-0x0000000000E20000-0x0000000000E2A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/1192-13-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/1192-6-0x0000000000520000-0x0000000000536000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/1192-2-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/1192-203-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1192-5-0x0000000000510000-0x0000000000520000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1192-17-0x0000000000F50000-0x0000000000F5C000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/1192-16-0x0000000000F40000-0x0000000000F48000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/1192-15-0x0000000000F30000-0x0000000000F3E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/1192-248-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/1192-1-0x0000000000F70000-0x000000000115A000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/1192-9-0x0000000000550000-0x000000000055C000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/1192-10-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/1192-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1192-12-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/1192-8-0x0000000000B70000-0x0000000000BC6000-memory.dmp

                              Filesize

                              344KB

                              Download

                            • memory/1192-3-0x0000000000260000-0x000000000027C000-memory.dmp

                              Filesize

                              112KB

                              Download

                            • memory/1192-4-0x0000000000500000-0x0000000000508000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/1920-297-0x0000000000AA0000-0x0000000000AF6000-memory.dmp

                              Filesize

                              344KB

                              Download

                            • memory/1920-296-0x0000000000F50000-0x000000000113A000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/2252-232-0x000000001B800000-0x000000001BAE2000-memory.dmp

                              Filesize

                              2.9MB

                              Download

                            • memory/2252-233-0x0000000001E10000-0x0000000001E18000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/2424-284-0x0000000000A90000-0x0000000000AE6000-memory.dmp

                              Filesize

                              344KB

                              Download

                            • memory/2424-285-0x0000000000B60000-0x0000000000B72000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/2424-231-0x0000000000BC0000-0x0000000000DAA000-memory.dmp

                              Filesize

                              1.9MB

                              Download