dcrat | 6ba057bc05313c3b6bf79254af5928029ecc792083ac4e83939c8beabc0bb19f

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2023 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b3254b1e5ceb8daf8e804ecd76faa3.exe
Size

2.5MB
MD5

02b3254b1e5ceb8daf8e804ecd76faa3
SHA1

60fed21b5250772db6a4060973bd16ba66675149
SHA256

6ba057bc05313c3b6bf79254af5928029ecc792083ac4e83939c8beabc0bb19f
SHA512

750a94d0a72b0634c3c0771a3d6cc6f51bbc20cdf2fb948043649bb7d556b9c316f4f58b796a9ab757c00481980e4e67e1a2ab58c852a7a3c5ffe722c51f8ab5
SSDEEP

49152:ySg8kOqBMdDhtQM4I+MkmJm9LcBwQYdXQ4J:tfkOqGhhtn9+nmJm9LcBCXvJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 50 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe02b3254b1e5ceb8daf8e804ecd76faa3.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1296	schtasks.exe
4624	schtasks.exe
4488	schtasks.exe
3836	schtasks.exe
204	schtasks.exe
1988	schtasks.exe
4760	schtasks.exe
4788	schtasks.exe
2664	schtasks.exe
1816	schtasks.exe
404	schtasks.exe
4980	schtasks.exe
2604	schtasks.exe
3896	schtasks.exe
3792	schtasks.exe
2368	schtasks.exe
3428	schtasks.exe
File created	C:\Windows\Resources\Themes\aero\fontdrvhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\Resources\Themes\aero\5b884080fd4f94	02b3254b1e5ceb8daf8e804ecd76faa3.exe
1892	schtasks.exe
4396	schtasks.exe
1376	schtasks.exe
2540	schtasks.exe
692	schtasks.exe
4448	schtasks.exe
4764	schtasks.exe
640	schtasks.exe
2044	schtasks.exe
760	schtasks.exe
4388	schtasks.exe
1160	schtasks.exe
2328	schtasks.exe
1320	schtasks.exe
2408	schtasks.exe
4916	schtasks.exe
3680	schtasks.exe
4920	schtasks.exe
3232	schtasks.exe
3900	schtasks.exe
3192	schtasks.exe
5112	schtasks.exe
3176	schtasks.exe
1832	schtasks.exe
2344	schtasks.exe
2520	schtasks.exe
1500	schtasks.exe
100	schtasks.exe
3948	schtasks.exe
4412	schtasks.exe
1204	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3572	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5060-132-0x00000000008F0000-0x0000000000B7E000-memory.dmp	dcrat
C:\Program Files (x86)\Internet Explorer\Idle.exe	dcrat
C:\Program Files (x86)\Internet Explorer\Idle.exe	dcrat
behavioral2/memory/4908-193-0x00000000007A0000-0x0000000000A2E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

4908 Idle.exe

pid	process
4908	Idle.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exeIdle.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Idle.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\GameBarPresenceWriter\\dwm.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02b3254b1e5ceb8daf8e804ecd76faa3 = "\"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02b3254b1e5ceb8daf8e804ecd76faa3 = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02b3254b1e5ceb8daf8e804ecd76faa3 = "\"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\SchCache\\taskhostw.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Registry.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\sppsvc.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\sppsvc.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\GameBarPresenceWriter\\dwm.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Internet Explorer\\Idle.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02b3254b1e5ceb8daf8e804ecd76faa3 = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\ModemLogs\\fontdrvhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02b3254b1e5ceb8daf8e804ecd76faa3 = "\"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Internet Explorer\\Idle.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\SchCache\\taskhostw.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02b3254b1e5ceb8daf8e804ecd76faa3 = "\"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\ModemLogs\\fontdrvhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Registry.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe

Drops file in Program Files directory 25 IoCs

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\sppsvc.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXCF48.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX38DE.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\RCX3B60.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX417E.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\lsass.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX3850.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\02b3254b1e5ceb8daf8e804ecd76faa3.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\lsass.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Internet Explorer\Idle.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXB063.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\02b3254b1e5ceb8daf8e804ecd76faa3.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Idle.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6203df4a6bafc7	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\0a1fd5f707cd16	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Internet Explorer\6ccacd8608530f	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\sppsvc.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\RCX3BED.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX420C.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\9c1b4432aa1b50	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXB20A.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXCEBB.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe

Drops file in Windows directory 30 IoCs

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exe

description	ioc	process
File opened for modification	C:\Windows\IME\IMEJP\02b3254b1e5ceb8daf8e804ecd76faa3.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\it-IT\9c1b4432aa1b50	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\ModemLogs\5b884080fd4f94	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\IME\IMEJP\9c1b4432aa1b50	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\dwm.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\ModemLogs\fontdrvhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\Resources\Themes\aero\RCXA4C3.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX3E7F.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\it-IT\02b3254b1e5ceb8daf8e804ecd76faa3.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\IME\IMEJP\RCX45A.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\Resources\Themes\aero\fontdrvhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\ModemLogs\RCXD1BA.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\SchCache\taskhostw.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\it-IT\02b3254b1e5ceb8daf8e804ecd76faa3.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\SchCache\taskhostw.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\SchCache\ea9f0e6c9e2dcd	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\SchCache\RCXAA64.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\IME\IMEJP\RCX555.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\Resources\Themes\aero\fontdrvhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\IME\IMEJP\02b3254b1e5ceb8daf8e804ecd76faa3.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\it-IT\RCXAD64.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\GameBarPresenceWriter\dwm.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\GameBarPresenceWriter\6cb0b6c459d5d3	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\it-IT\RCXADE2.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\ModemLogs\RCXD248.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\ModemLogs\fontdrvhost.exe	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX3EFD.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File created	C:\Windows\Resources\Themes\aero\5b884080fd4f94	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\Resources\Themes\aero\RCXA445.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe
File opened for modification	C:\Windows\SchCache\RCXAAE2.tmp	02b3254b1e5ceb8daf8e804ecd76faa3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2408	schtasks.exe
4448	schtasks.exe
4760	schtasks.exe
1204	schtasks.exe
3176	schtasks.exe
4920	schtasks.exe
760	schtasks.exe
3948	schtasks.exe
1832	schtasks.exe
4788	schtasks.exe
4624	schtasks.exe
4488	schtasks.exe
4764	schtasks.exe
1816	schtasks.exe
4396	schtasks.exe
1376	schtasks.exe
4980	schtasks.exe
404	schtasks.exe
2368	schtasks.exe
5112	schtasks.exe
1296	schtasks.exe
640	schtasks.exe
1160	schtasks.exe
1892	schtasks.exe
4412	schtasks.exe
100	schtasks.exe
204	schtasks.exe
2604	schtasks.exe
2664	schtasks.exe
1320	schtasks.exe
1500	schtasks.exe
2328	schtasks.exe
4916	schtasks.exe
3680	schtasks.exe
3896	schtasks.exe
3900	schtasks.exe
3792	schtasks.exe
2044	schtasks.exe
2540	schtasks.exe
4388	schtasks.exe
3192	schtasks.exe
2344	schtasks.exe
3836	schtasks.exe
1988	schtasks.exe
3232	schtasks.exe
2520	schtasks.exe
3428	schtasks.exe
692	schtasks.exe

Modifies registry class 2 IoCs

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exeIdle.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exe

pid	process
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
2908	powershell.exe
1556	powershell.exe
1148	powershell.exe
4272	powershell.exe
3956	powershell.exe
3956	powershell.exe
2232	powershell.exe
2232	powershell.exe
3636	powershell.exe
3636	powershell.exe
3620	powershell.exe
3620	powershell.exe
3976	powershell.exe
3976	powershell.exe
1032	powershell.exe
1032	powershell.exe
4420	powershell.exe
4420	powershell.exe
2624	powershell.exe
2624	powershell.exe
1032	powershell.exe
1148	powershell.exe
1148	powershell.exe
1556	powershell.exe
1556	powershell.exe
2908	powershell.exe
2908	powershell.exe
4272	powershell.exe
4272	powershell.exe
2232	powershell.exe
3956	powershell.exe
3636	powershell.exe
3976	powershell.exe
3620	powershell.exe
4420	powershell.exe
2624	powershell.exe
4908	Idle.exe
4908	Idle.exe
4908	Idle.exe
4908	Idle.exe
4908	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Idle.exe

pid process

4908 Idle.exe

pid	process
4908	Idle.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4908	Idle.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

02b3254b1e5ceb8daf8e804ecd76faa3.execmd.exeIdle.exe

description	pid	process	target process
PID 5060 wrote to memory of 1556	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 1556	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 1148	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 1148	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 2908	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 2908	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 4272	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 4272	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 2232	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 2232	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3956	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3956	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3976	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3976	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3636	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3636	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 2624	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 2624	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3620	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 3620	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 1032	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 1032	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 4420	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 4420	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	powershell.exe
PID 5060 wrote to memory of 4472	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	cmd.exe
PID 5060 wrote to memory of 4472	5060	02b3254b1e5ceb8daf8e804ecd76faa3.exe	cmd.exe
PID 4472 wrote to memory of 760	4472	cmd.exe	w32tm.exe
PID 4472 wrote to memory of 760	4472	cmd.exe	w32tm.exe
PID 4472 wrote to memory of 4908	4472	cmd.exe	Idle.exe
PID 4472 wrote to memory of 4908	4472	cmd.exe	Idle.exe
PID 4908 wrote to memory of 3584	4908	Idle.exe	WScript.exe
PID 4908 wrote to memory of 3584	4908	Idle.exe	WScript.exe
PID 4908 wrote to memory of 1144	4908	Idle.exe	WScript.exe
PID 4908 wrote to memory of 1144	4908	Idle.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\02b3254b1e5ceb8daf8e804ecd76faa3.exe
"C:\Users\Admin\AppData\Local\Temp\02b3254b1e5ceb8daf8e804ecd76faa3.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1wk5TxQDJ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:760

C:\Program Files (x86)\Internet Explorer\Idle.exe
"C:\Program Files (x86)\Internet Explorer\Idle.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7630f2ac-53da-4ef1-96cc-18edcade95b1.vbs"
4⤵
PID:3584

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051d369e-d254-492b-9632-976c532aa26a.vbs"
4⤵
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\aero\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\aero\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SchCache\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa30" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa3" /sc ONLOGON /tr "'C:\Windows\it-IT\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa30" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa30" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa3" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa30" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa30" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMEJP\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa3" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02b3254b1e5ceb8daf8e804ecd76faa30" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMEJP\02b3254b1e5ceb8daf8e804ecd76faa3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\GameBarPresenceWriter\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\GameBarPresenceWriter\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\Idle.exe

Filesize
2.5MB

MD5
0eca8aa382c8c25d01b25e26ef24c875

SHA1
92b64fd84827dc9821b094c76ba4998a0b89a50e

SHA256
e68dd0f4a5c0f0d924dcfa2d3f90fd19cd9bdf89fee265c94da18d0fb186ad25

SHA512
b2b33bb169f1e1184d12fb8e802f44cc3d4c8e122ecdfdc4df9038aa6e14739dd276f823b2a3fd00dde6a517d9d9489303e266601ce1342f3458ec6520f56ee9

Download Submit
C:\Program Files (x86)\Internet Explorer\Idle.exe

Filesize
2.5MB

MD5
0eca8aa382c8c25d01b25e26ef24c875

SHA1
92b64fd84827dc9821b094c76ba4998a0b89a50e

SHA256
e68dd0f4a5c0f0d924dcfa2d3f90fd19cd9bdf89fee265c94da18d0fb186ad25

SHA512
b2b33bb169f1e1184d12fb8e802f44cc3d4c8e122ecdfdc4df9038aa6e14739dd276f823b2a3fd00dde6a517d9d9489303e266601ce1342f3458ec6520f56ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\051d369e-d254-492b-9632-976c532aa26a.vbs

Filesize
501B

MD5
5baf82f638a47a1126cda1f8af3fda51

SHA1
e8b7d69d29c1e1b480a3492cfae832edadd844a9

SHA256
563212a6f9c8904f9c6912f2a6fb5e746cea313cdeaa834ab4a44e08eae4d28e

SHA512
e2c7f9b075eda9973665ce634d1a62bb834916722dfc73296e3ef80fa1d73a5c9ea9519d0bed3cd6a7b4b7776420f9fa7e813b9344fc6e6e41bf83f165994a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7630f2ac-53da-4ef1-96cc-18edcade95b1.vbs

Filesize
725B

MD5
7e7e08ea41989479457a7861f6c3bfb1

SHA1
95d4ce4abd0104a2dcf9b6771c39554c9740eb96

SHA256
c6f62188a3c851e9dd30bf83d932215980f818405887e1f5d531fe80382484cc

SHA512
8f954ab994e0596d46e2121045c7069744672ee14af1ee395cf0ce6317e400e612beb8f1b9b8644fbfcc1c29ccf7249f5f02b76ea16d6c8e8a5080ba7c86a6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1wk5TxQDJ.bat

Filesize
214B

MD5
2aba1baa6eac31ce1d512c5800ad1930

SHA1
caf9843ea9771a0bc8edd51c5362cfdf2c0cf87d

SHA256
a74ca05190aa9df07d24553b45cee07468cf67f053a2f6454c6d045c4dc53c61

SHA512
3f85c434b7a9bb42c3ab06f995de0f034e5dae957b3093ba08f03ea8b0bc2a313f0b74eb962a8bb8c4137222d3ae884c1e18287856b7177d9421e8deaddc0883

Download Submit
memory/760-159-0x0000000000000000-mapping.dmp

Download
memory/1032-173-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1032-164-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1032-147-0x0000000000000000-mapping.dmp

Download
memory/1144-196-0x0000000000000000-mapping.dmp

Download
memory/1148-153-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1148-168-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1148-138-0x0000000000000000-mapping.dmp

Download
memory/1148-149-0x000001AC75260000-0x000001AC75282000-memory.dmp

Filesize
136KB

Download
memory/1556-174-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1556-137-0x0000000000000000-mapping.dmp

Download
memory/1556-152-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2232-158-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2232-179-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2232-141-0x0000000000000000-mapping.dmp

Download
memory/2624-187-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2624-145-0x0000000000000000-mapping.dmp

Download
memory/2624-163-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2908-172-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2908-139-0x0000000000000000-mapping.dmp

Download
memory/2908-155-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3584-195-0x0000000000000000-mapping.dmp

Download
memory/3620-146-0x0000000000000000-mapping.dmp

Download
memory/3620-185-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3620-162-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3636-144-0x0000000000000000-mapping.dmp

Download
memory/3636-160-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3636-184-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3956-157-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3956-142-0x0000000000000000-mapping.dmp

Download
memory/3956-183-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3976-161-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3976-143-0x0000000000000000-mapping.dmp

Download
memory/3976-182-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4272-140-0x0000000000000000-mapping.dmp

Download
memory/4272-175-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4272-156-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4420-148-0x0000000000000000-mapping.dmp

Download
memory/4420-189-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4420-165-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4472-150-0x0000000000000000-mapping.dmp

Download
memory/4908-194-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/4908-190-0x0000000000000000-mapping.dmp

Download
memory/4908-199-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/4908-193-0x00000000007A0000-0x0000000000A2E000-memory.dmp

Filesize
2.6MB

Download
memory/5060-151-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/5060-133-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/5060-134-0x000000001B780000-0x000000001B7D0000-memory.dmp

Filesize
320KB

Download
memory/5060-135-0x000000001D3F0000-0x000000001D918000-memory.dmp

Filesize
5.2MB

Download
memory/5060-136-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/5060-132-0x00000000008F0000-0x0000000000B7E000-memory.dmp

Filesize
2.6MB

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\sppsvc.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\sppsvc.exe\", \"C:\\Windows\\GameBarPresenceWriter\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\Idle.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\odt\\explorer.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Resources\\Themes\\aero\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\SchCache\\taskhostw.exe\", \"C:\\Windows\\it-IT\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Program Files\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Windows\\ModemLogs\\fontdrvhost.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\IME\\IMEJP\\02b3254b1e5ceb8daf8e804ecd76faa3.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\sppsvc.exe\", \"C:\\Windows\\GameBarPresenceWriter\\dwm.exe\""	02b3254b1e5ceb8daf8e804ecd76faa3.exe