Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 00:21
Behavioral task
behavioral1
Sample
20ec8d347f674ebadc53399ef6aa49cb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
20ec8d347f674ebadc53399ef6aa49cb.exe
Resource
win10v2004-20231130-en
General
-
Target
20ec8d347f674ebadc53399ef6aa49cb.exe
-
Size
3.4MB
-
MD5
20ec8d347f674ebadc53399ef6aa49cb
-
SHA1
f418d228eb276f216b4986b55b2c762d11991a31
-
SHA256
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
-
SHA512
e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
SSDEEP
49152:RoyC6Up4R8DrzSGRWGq1m2G2j4mddTpbuYs2P1C0q8dA9Bl0fijOu4:RW6eW8WAh2DQyC0q8G9wyQ
Malware Config
Signatures
-
DcRat 59 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 1796 schtasks.exe 3928 schtasks.exe 4232 schtasks.exe 536 schtasks.exe 884 schtasks.exe 2300 schtasks.exe 1808 schtasks.exe 4572 schtasks.exe 4100 schtasks.exe 4380 schtasks.exe 2924 schtasks.exe 4948 schtasks.exe 3996 schtasks.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 20ec8d347f674ebadc53399ef6aa49cb.exe 3216 schtasks.exe 700 schtasks.exe 1556 schtasks.exe 3984 schtasks.exe 3372 schtasks.exe 4780 schtasks.exe 872 schtasks.exe 1456 schtasks.exe 4768 schtasks.exe 4728 schtasks.exe 1068 schtasks.exe 3460 schtasks.exe 5028 schtasks.exe 3140 schtasks.exe 2692 schtasks.exe 1316 schtasks.exe 1940 schtasks.exe 1800 schtasks.exe 2852 schtasks.exe 2612 schtasks.exe 4828 schtasks.exe 1240 schtasks.exe 1964 schtasks.exe 5000 schtasks.exe 3824 schtasks.exe 3500 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 20ec8d347f674ebadc53399ef6aa49cb.exe 320 schtasks.exe 4452 schtasks.exe 5052 schtasks.exe 3316 schtasks.exe 1252 schtasks.exe 3368 schtasks.exe 2960 schtasks.exe 1208 schtasks.exe 2416 schtasks.exe 3416 schtasks.exe 228 schtasks.exe 396 schtasks.exe 2632 schtasks.exe 4268 schtasks.exe 2928 schtasks.exe 1792 schtasks.exe 4872 schtasks.exe 4560 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\winlogon.exe\", \"C:\\odt\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\winlogon.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 4648 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 4648 schtasks.exe 89 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe -
resource yara_rule behavioral2/memory/1612-0-0x0000000000390000-0x00000000006FA000-memory.dmp dcrat behavioral2/files/0x00060000000231f8-48.dat dcrat behavioral2/files/0x0006000000023218-86.dat dcrat behavioral2/files/0x0006000000023218-87.dat dcrat behavioral2/files/0x0006000000023218-101.dat dcrat behavioral2/files/0x000b00000002322f-108.dat dcrat behavioral2/files/0x0006000000023218-116.dat dcrat behavioral2/files/0x000b00000002322f-122.dat dcrat behavioral2/files/0x0006000000023218-130.dat dcrat behavioral2/files/0x000b00000002322f-136.dat dcrat behavioral2/files/0x0006000000023218-144.dat dcrat behavioral2/files/0x000b00000002322f-150.dat dcrat behavioral2/files/0x0006000000023218-158.dat dcrat behavioral2/files/0x000b00000002322f-164.dat dcrat behavioral2/files/0x0006000000023218-172.dat dcrat behavioral2/files/0x000b00000002322f-178.dat dcrat behavioral2/files/0x0006000000023218-186.dat dcrat behavioral2/files/0x000b00000002322f-192.dat dcrat behavioral2/files/0x0006000000023218-202.dat dcrat behavioral2/files/0x000b00000002322f-208.dat dcrat -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation 20ec8d347f674ebadc53399ef6aa49cb.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Idle.exe -
Executes dropped EXE 9 IoCs
pid Process 3840 Idle.exe 4580 Idle.exe 1432 Idle.exe 3756 Idle.exe 2480 Idle.exe 3276 Idle.exe 3928 Idle.exe 4344 Idle.exe 2300 Idle.exe -
Adds Run key to start application 2 TTPs 36 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\odt\\SearchApp.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\spoolsv.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\odt\\SearchApp.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\lsass.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Common Files\\Services\\upfc.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\winlogon.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Common Files\\Services\\upfc.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\spoolsv.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\lsass.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\winlogon.exe\"" 20ec8d347f674ebadc53399ef6aa49cb.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files\Common Files\Services\upfc.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files\Microsoft Office\cc11b995f2a76d 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Reference Assemblies\Idle.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files\Microsoft Office\winlogon.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Reference Assemblies\6ccacd8608530f 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files\Common Files\Services\ea1d8f6d871115 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\886983d96e3d3e 20ec8d347f674ebadc53399ef6aa49cb.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe 20ec8d347f674ebadc53399ef6aa49cb.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\SoftwareDistribution\EventCache.v2\69ddcba757bf72 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe 20ec8d347f674ebadc53399ef6aa49cb.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\eddb19405b7ce1 20ec8d347f674ebadc53399ef6aa49cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe 2928 schtasks.exe 3928 schtasks.exe 4948 schtasks.exe 700 schtasks.exe 1964 schtasks.exe 1808 schtasks.exe 2924 schtasks.exe 396 schtasks.exe 4232 schtasks.exe 320 schtasks.exe 2300 schtasks.exe 1800 schtasks.exe 1940 schtasks.exe 884 schtasks.exe 3140 schtasks.exe 1252 schtasks.exe 4560 schtasks.exe 5000 schtasks.exe 4380 schtasks.exe 3372 schtasks.exe 1796 schtasks.exe 4452 schtasks.exe 3996 schtasks.exe 3824 schtasks.exe 3316 schtasks.exe 1208 schtasks.exe 2960 schtasks.exe 4100 schtasks.exe 1456 schtasks.exe 3368 schtasks.exe 5052 schtasks.exe 228 schtasks.exe 3500 schtasks.exe 3460 schtasks.exe 2416 schtasks.exe 4768 schtasks.exe 4872 schtasks.exe 536 schtasks.exe 1556 schtasks.exe 3216 schtasks.exe 2852 schtasks.exe 4780 schtasks.exe 1068 schtasks.exe 872 schtasks.exe 3416 schtasks.exe 5028 schtasks.exe 1316 schtasks.exe 4268 schtasks.exe 4728 schtasks.exe 3984 schtasks.exe 2692 schtasks.exe 1240 schtasks.exe 4828 schtasks.exe 4572 schtasks.exe 2632 schtasks.exe 1792 schtasks.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings 20ec8d347f674ebadc53399ef6aa49cb.exe Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings Idle.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 3840 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 4580 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe 1432 Idle.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1612 20ec8d347f674ebadc53399ef6aa49cb.exe Token: SeDebugPrivilege 3840 Idle.exe Token: SeDebugPrivilege 4580 Idle.exe Token: SeDebugPrivilege 1432 Idle.exe Token: SeDebugPrivilege 3756 Idle.exe Token: SeDebugPrivilege 2480 Idle.exe Token: SeDebugPrivilege 3276 Idle.exe Token: SeDebugPrivilege 3928 Idle.exe Token: SeDebugPrivilege 4344 Idle.exe Token: SeDebugPrivilege 2300 Idle.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1716 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 147 PID 1612 wrote to memory of 1716 1612 20ec8d347f674ebadc53399ef6aa49cb.exe 147 PID 1716 wrote to memory of 2728 1716 cmd.exe 149 PID 1716 wrote to memory of 2728 1716 cmd.exe 149 PID 1716 wrote to memory of 3840 1716 cmd.exe 154 PID 1716 wrote to memory of 3840 1716 cmd.exe 154 PID 3840 wrote to memory of 1684 3840 Idle.exe 155 PID 3840 wrote to memory of 1684 3840 Idle.exe 155 PID 3840 wrote to memory of 4268 3840 Idle.exe 156 PID 3840 wrote to memory of 4268 3840 Idle.exe 156 PID 1684 wrote to memory of 4580 1684 WScript.exe 157 PID 1684 wrote to memory of 4580 1684 WScript.exe 157 PID 4580 wrote to memory of 3928 4580 Idle.exe 158 PID 4580 wrote to memory of 3928 4580 Idle.exe 158 PID 4580 wrote to memory of 3464 4580 Idle.exe 159 PID 4580 wrote to memory of 3464 4580 Idle.exe 159 PID 3928 wrote to memory of 1432 3928 WScript.exe 160 PID 3928 wrote to memory of 1432 3928 WScript.exe 160 PID 1432 wrote to memory of 212 1432 Idle.exe 161 PID 1432 wrote to memory of 212 1432 Idle.exe 161 PID 1432 wrote to memory of 4584 1432 Idle.exe 162 PID 1432 wrote to memory of 4584 1432 Idle.exe 162 PID 212 wrote to memory of 3756 212 WScript.exe 164 PID 212 wrote to memory of 3756 212 WScript.exe 164 PID 3756 wrote to memory of 2728 3756 Idle.exe 165 PID 3756 wrote to memory of 2728 3756 Idle.exe 165 PID 3756 wrote to memory of 4992 3756 Idle.exe 166 PID 3756 wrote to memory of 4992 3756 Idle.exe 166 PID 2728 wrote to memory of 2480 2728 WScript.exe 168 PID 2728 wrote to memory of 2480 2728 WScript.exe 168 PID 2480 wrote to memory of 4264 2480 Idle.exe 169 PID 2480 wrote to memory of 4264 2480 Idle.exe 169 PID 2480 wrote to memory of 4712 2480 Idle.exe 170 PID 2480 wrote to memory of 4712 2480 Idle.exe 170 PID 4264 wrote to memory of 3276 4264 WScript.exe 171 PID 4264 wrote to memory of 3276 4264 WScript.exe 171 PID 3276 wrote to memory of 4764 3276 Idle.exe 172 PID 3276 wrote to memory of 4764 3276 Idle.exe 172 PID 3276 wrote to memory of 3868 3276 Idle.exe 173 PID 3276 wrote to memory of 3868 3276 Idle.exe 173 PID 4764 wrote to memory of 3928 4764 WScript.exe 174 PID 4764 wrote to memory of 3928 4764 WScript.exe 174 PID 3928 wrote to memory of 3916 3928 Idle.exe 175 PID 3928 wrote to memory of 3916 3928 Idle.exe 175 PID 3928 wrote to memory of 2664 3928 Idle.exe 176 PID 3928 wrote to memory of 2664 3928 Idle.exe 176 PID 3916 wrote to memory of 4344 3916 WScript.exe 177 PID 3916 wrote to memory of 4344 3916 WScript.exe 177 PID 4344 wrote to memory of 884 4344 Idle.exe 178 PID 4344 wrote to memory of 884 4344 Idle.exe 178 PID 4344 wrote to memory of 4936 4344 Idle.exe 179 PID 4344 wrote to memory of 4936 4344 Idle.exe 179 PID 884 wrote to memory of 2300 884 WScript.exe 180 PID 884 wrote to memory of 2300 884 WScript.exe 180 PID 2300 wrote to memory of 4236 2300 Idle.exe 181 PID 2300 wrote to memory of 4236 2300 Idle.exe 181 PID 2300 wrote to memory of 2848 2300 Idle.exe 182 PID 2300 wrote to memory of 2848 2300 Idle.exe 182 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20ec8d347f674ebadc53399ef6aa49cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gLRQn5jy2W.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2728
-
-
C:\Recovery\WindowsRE\Idle.exe"C:\Recovery\WindowsRE\Idle.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\327d7c89-d934-45bb-922f-f703e4be55af.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8998bce-3d4f-4009-9c0e-8859ba9e4e69.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\280fb390-02cf-4940-8bb4-69894669b0d2.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4476a622-1239-419c-b12b-b6fd93def516.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444a57c1-dd60-404b-ba4d-5dfd0391b452.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3276 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af648bd0-9af2-4566-bd36-ab77e32f2b77.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8613c36d-90fd-44f6-bcf1-a7f4daa67318.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca8a3790-a6e7-40c1-bc29-9e5df56f381e.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dbcc325-c951-4d65-9c86-32a0bdca3b2e.vbs"20⤵PID:4236
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efdf0b09-e918-4bb2-84df-5455f3c8ade8.vbs"20⤵PID:2848
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93a1958-dab5-4132-a428-abebcca164c4.vbs"18⤵PID:4936
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54b8b15f-5f75-4b0c-bf4d-3daec22dc83d.vbs"16⤵PID:2664
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb6e415c-b047-4c37-b09d-4ca051d12f13.vbs"14⤵PID:3868
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbe1fe4-5f7b-429e-b978-d6b1210415b7.vbs"12⤵PID:4712
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730e9bea-b176-43ad-bad1-6cbd98c3f3cd.vbs"10⤵PID:4992
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc7277b3-a0f4-4206-b080-bbf008e3b930.vbs"8⤵PID:4584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs"6⤵PID:3464
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\890a8615-d6c4-40c9-b70e-85a087ce95af.vbs"4⤵PID:4268
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
706B
MD5a32163308b7c7c65325f10614f00babf
SHA1d789b82a033dc7721f17651fbf430ef67bce38ac
SHA256a520c5d5bf2cf19b5b6d485192d9deecbb84a4bdb86861e48a44b0a63b732ac8
SHA512649dd943668c9995f85bbd71d63d590fa1e95b0a699f0b64dca55e5f31930b9a56d2c3ba0ea3d52115a58dd8630cccd0b55661e76b82f3eec6232995fb5ecc1f
-
Filesize
706B
MD50123a3feebc04de019335c4d2ebf8be7
SHA1ff3b83d575dafae7b76247dd4c68197ec7b4b1c6
SHA2565504f7a63995932fe5f059f28c74c548c9cb69ca937d64472336d41ba999e2bc
SHA512f04956eeaeefa745d3ab2185928d66cc8410e881b2857354de0d0e23246b2991c6f294c3047201584dcda0a513a884b495ccf4844782cc39d3cca8ac006c7206
-
Filesize
706B
MD59c0778de2ff06827464a84a2450cc3ad
SHA1685667a52b25babc302f5a410310d70c1589b0ac
SHA2566893f416819ee06870e6b87164193910f8a1ddab0218737dcd416e16870b2414
SHA512d821cda6d008a16a4844fc479be04a94a0b9e8deddb43d14e83005e6ca4c5182d5a2db681137125bbf6108672f528ec5bbd729333d83cb4fe9b9fdbff53596a7
-
Filesize
706B
MD5f1981cded8c737feff3c0df65d841968
SHA15e02aa4e8b6e522b60b2b301da3c7ba3d37524aa
SHA25641191250ed6b77849d403cfaecc043e86ccf9ec25674d495ec04647b1795d426
SHA512e97d9dc8534e69103d5b532bbc37225aff27b40c2ac3debeb72934776d023f9a27c7e04458cecb52e58c8b1aaa81b969a79b577291f8184e3494fe9f2dd0a19e
-
Filesize
706B
MD5a67b70ea5afd738b4ad2a3e724da5d40
SHA1e99d42a6eebe4003d1482cb5f62cf8d84681967f
SHA2563e5fc79f7144242b07470796a5412a441ef6c14f11ed2d0c6a138ada26167274
SHA512aba154c10995978332397e1e7f529bd5ec42bb44869747e28a5d309a5235e1a99946a4df559b31c01b9a8065a733327cbf86f89afa8efdf5c1d4263efe38f3f4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
3.4MB
MD520ec8d347f674ebadc53399ef6aa49cb
SHA1f418d228eb276f216b4986b55b2c762d11991a31
SHA2569e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
706B
MD56660635041bc83949ed6d29065c97492
SHA14d9699342582ef91ef9223b5df15ced539959028
SHA256cdfcd6d0d3bd63b4f3c5f0dd95defe4e6f18a5926e1f6de3154912dfeb180de9
SHA5120215af55a8dd9f81be4dc9e13474c08c92005f00322eed52e07d55f7c86d8080ccb706bf530127e094406c2978770005683806d84c78e13d914a560c5e8e01cf
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
706B
MD577ee81e221338d48988c781fd958057e
SHA1201444d030b8eb444c5f876ff39a3de783b10971
SHA256d5ee4fd6ebd981926610464e24341b446fb8a9f1e4ddb996ea338ee249ec6180
SHA5125120825640b14dccb6b807985f780171bead8fb355fb0cf43a7324d55293a6240e9978bef8f49decff0e2c48fb09ecb44ee23e0c62dfb90c6725104ea9e2587e
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
706B
MD59071e6059286afe0ef7772ea202441da
SHA19f690276214537b14129e3b5d7b940052f5b4b92
SHA256e8e766a0e8c90a22563d2937b010f887224759e67603e2339976129cf4169724
SHA5127997723841139ea3e6d41a8f975b51cc97f5236decf84f87921b1694b991122db1c05ab6400450561802e626c945a6e64456da90022ea56a17a7733cf2d20eb4
-
Filesize
706B
MD5eef485156adaac0047dc106227efed52
SHA13dd18ff24e98aeee8243b4f0f04ddbdcb5747d8f
SHA256c9826d70ba7e04fb1ec653cf3803268c15ab4b9f24b00fca9efb0a0053426b1b
SHA5126c7c63f79c33c03a68047c58c6427025a6b5fcadbbd60a64569f6f2f249b53ab1a2950b77e4a9e72e4f206d800eb14f01265befef4f2c95f9803bbef6ed828f4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
482B
MD59e639d038c856f39aabd1fbd4becc9ef
SHA1a89f190f2f235d9039fefd566a814116cb8ca913
SHA25629948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4
-
Filesize
195B
MD58bd2b7ede91ecfc7b58052536f2b7ec7
SHA104172e6c52259f4a9c195cd473a5e85b343deab3
SHA256a8cd99a539aa1622ce415f6126e457fa03a5397a962f18b1c403c87d2daed57a
SHA512822e2e954a9528103fdd62a62fff36e93672be1bb42a5ff9ce3cb8c213f8e8828befd667d6980ad3a12bf63434f9c35bf6f5a1b60a449143ae01bee2f329ff6f