dcrat | 51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Size

2.1MB
MD5

f4a675a3b47a85daa2e7905eba314760
SHA1

0e01e07ff8ed4ca94a1dcad2f2af26fd8cf431ba
SHA256

51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02
SHA512

d8a9cd69392fc775cef5d714128ca08a39a6a111e57ff248b64ba4126b89bbff4ca39bb5c117450e405619cefbec7ca01ad931c6ae7d9cb14c6d1822d478152d
SSDEEP

49152:D3B3BNkmneOg9/liOjsCpfAwq1jwaCJtn:zFBNkB9NiOjsC5A91jw5

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 54 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2788	schtasks.exe
2588	schtasks.exe
2784	schtasks.exe
1332	schtasks.exe
2912	schtasks.exe
2352	schtasks.exe
2832	schtasks.exe
2220	schtasks.exe
2736	schtasks.exe
1528	schtasks.exe
2300	schtasks.exe
2660	schtasks.exe
2192	schtasks.exe
2424	schtasks.exe
2252	schtasks.exe
644	schtasks.exe
2688	schtasks.exe
1192	schtasks.exe
2340	schtasks.exe
476	schtasks.exe
2240	schtasks.exe
2176	schtasks.exe
2496	schtasks.exe
1932	schtasks.exe
2880	schtasks.exe
1844	schtasks.exe
1788	schtasks.exe
2696	schtasks.exe
2600	schtasks.exe
2384	schtasks.exe
2208	schtasks.exe
2900	schtasks.exe
1656	schtasks.exe
1496	schtasks.exe
1612	schtasks.exe
576	schtasks.exe
2836	schtasks.exe
1948	schtasks.exe
656	schtasks.exe
2396	schtasks.exe
1224	schtasks.exe
2272	schtasks.exe
984	schtasks.exe
1604	schtasks.exe
2336	schtasks.exe
2112	schtasks.exe
1996	schtasks.exe
2808	schtasks.exe
1212	schtasks.exe
1964	schtasks.exe
2480	schtasks.exe
2236	schtasks.exe
1544	schtasks.exe
760	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\Idle.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\Idle.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsm.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\", \"C:\\Windows\\Tasks\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\security\\templates\\sppsvc.exe\", \"C:\\Users\\Admin\\Searches\\explorer.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Windows\\Registration\\CRMLog\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\Idle.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\smss.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2816	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2816	schtasks.exe	28

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000F50000-0x0000000001166000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d18-32.dat	dcrat
behavioral1/files/0x0008000000016d74-123.dat	dcrat
behavioral1/files/0x0005000000019414-353.dat	dcrat

Detects executables packed with SmartAssembly 6 IoCs

resource	yara_rule
behavioral1/memory/2956-7-0x00000000002F0000-0x0000000000300000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2956-12-0x0000000000C80000-0x0000000000C8C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2956-14-0x0000000000CA0000-0x0000000000CAC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2956-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2956-21-0x000000001A910000-0x000000001A91C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2956-22-0x000000001A920000-0x000000001A92A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

pid	Process
2156	Idle.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Tasks\\spoolsv.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\smss.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\Idle.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\templates\\sppsvc.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Searches\\explorer.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Registration\\CRMLog\\Idle.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsm.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\lsass.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Documents\\My Pictures\\winlogon.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\Idle.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Searches\\explorer.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsm.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\smss.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Tasks\\spoolsv.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\services.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\System.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\templates\\sppsvc.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\services.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Registration\\CRMLog\\Idle.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\27d1bcfc3c54e0	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX2D4B.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX33C3.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCX2F4E.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\69ddcba757bf72	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX4E21.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\security\templates\sppsvc.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Windows\security\templates\0a1fd5f707cd16	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Windows\Registration\CRMLog\6ccacd8608530f	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Windows\Tasks\f3b6ecef712a24	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Windows\Tasks\spoolsv.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Windows\security\templates\RCX3AA9.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Windows\security\templates\sppsvc.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Windows\Boot\EFI\lsm.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Windows\Tasks\RCX2B47.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX419E.tmp	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File opened for modification	C:\Windows\Registration\CRMLog\Idle.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Windows\Tasks\spoolsv.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
File created	C:\Windows\Registration\CRMLog\Idle.exe	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2112	schtasks.exe
2660	schtasks.exe
1656	schtasks.exe
2192	schtasks.exe
2208	schtasks.exe
2396	schtasks.exe
2788	schtasks.exe
2600	schtasks.exe
1332	schtasks.exe
576	schtasks.exe
2236	schtasks.exe
2696	schtasks.exe
2588	schtasks.exe
2240	schtasks.exe
2272	schtasks.exe
1788	schtasks.exe
656	schtasks.exe
2808	schtasks.exe
2424	schtasks.exe
1544	schtasks.exe
1604	schtasks.exe
2252	schtasks.exe
644	schtasks.exe
1932	schtasks.exe
2336	schtasks.exe
1996	schtasks.exe
2220	schtasks.exe
1528	schtasks.exe
2384	schtasks.exe
760	schtasks.exe
2340	schtasks.exe
1212	schtasks.exe
2880	schtasks.exe
1948	schtasks.exe
1964	schtasks.exe
2836	schtasks.exe
2736	schtasks.exe
2832	schtasks.exe
1496	schtasks.exe
2912	schtasks.exe
1844	schtasks.exe
1612	schtasks.exe
2496	schtasks.exe
2784	schtasks.exe
2300	schtasks.exe
476	schtasks.exe
2688	schtasks.exe
2900	schtasks.exe
2352	schtasks.exe
984	schtasks.exe
2480	schtasks.exe
1224	schtasks.exe
1192	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
2792	powershell.exe
1084	powershell.exe
2920	powershell.exe
1312	powershell.exe
2744	powershell.exe
2776	powershell.exe
1636	powershell.exe
2984	powershell.exe
1480	powershell.exe
2596	powershell.exe
2020	powershell.exe
1744	powershell.exe
2784	powershell.exe
2780	powershell.exe
1272	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2156	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2792	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	83
PID 2956 wrote to memory of 2792	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	83
PID 2956 wrote to memory of 2792	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	83
PID 2956 wrote to memory of 1084	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	84
PID 2956 wrote to memory of 1084	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	84
PID 2956 wrote to memory of 1084	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	84
PID 2956 wrote to memory of 1312	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	85
PID 2956 wrote to memory of 1312	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	85
PID 2956 wrote to memory of 1312	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	85
PID 2956 wrote to memory of 2920	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	86
PID 2956 wrote to memory of 2920	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	86
PID 2956 wrote to memory of 2920	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	86
PID 2956 wrote to memory of 2744	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	88
PID 2956 wrote to memory of 2744	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	88
PID 2956 wrote to memory of 2744	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	88
PID 2956 wrote to memory of 2020	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	90
PID 2956 wrote to memory of 2020	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	90
PID 2956 wrote to memory of 2020	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	90
PID 2956 wrote to memory of 2776	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	91
PID 2956 wrote to memory of 2776	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	91
PID 2956 wrote to memory of 2776	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	91
PID 2956 wrote to memory of 1272	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	96
PID 2956 wrote to memory of 1272	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	96
PID 2956 wrote to memory of 1272	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	96
PID 2956 wrote to memory of 664	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	97
PID 2956 wrote to memory of 664	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	97
PID 2956 wrote to memory of 664	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	97
PID 2956 wrote to memory of 1744	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	98
PID 2956 wrote to memory of 1744	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	98
PID 2956 wrote to memory of 1744	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	98
PID 2956 wrote to memory of 1480	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	99
PID 2956 wrote to memory of 1480	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	99
PID 2956 wrote to memory of 1480	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	99
PID 2956 wrote to memory of 2692	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	100
PID 2956 wrote to memory of 2692	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	100
PID 2956 wrote to memory of 2692	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	100
PID 2956 wrote to memory of 1640	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	101
PID 2956 wrote to memory of 1640	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	101
PID 2956 wrote to memory of 1640	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	101
PID 2956 wrote to memory of 1636	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	102
PID 2956 wrote to memory of 1636	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	102
PID 2956 wrote to memory of 1636	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	102
PID 2956 wrote to memory of 2596	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	103
PID 2956 wrote to memory of 2596	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	103
PID 2956 wrote to memory of 2596	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	103
PID 2956 wrote to memory of 2780	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	104
PID 2956 wrote to memory of 2780	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	104
PID 2956 wrote to memory of 2780	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	104
PID 2956 wrote to memory of 2716	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	105
PID 2956 wrote to memory of 2716	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	105
PID 2956 wrote to memory of 2716	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	105
PID 2956 wrote to memory of 2784	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	106
PID 2956 wrote to memory of 2784	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	106
PID 2956 wrote to memory of 2784	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	106
PID 2956 wrote to memory of 2984	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	107
PID 2956 wrote to memory of 2984	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	107
PID 2956 wrote to memory of 2984	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	107
PID 2956 wrote to memory of 3028	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	121
PID 2956 wrote to memory of 3028	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	121
PID 2956 wrote to memory of 3028	2956	51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe	121
PID 3028 wrote to memory of 2944	3028	cmd.exe	123
PID 3028 wrote to memory of 2944	3028	cmd.exe	123
PID 3028 wrote to memory of 2944	3028	cmd.exe	123
PID 3028 wrote to memory of 2156	3028	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe
"C:\Users\Admin\AppData\Local\Temp\51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\templates\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DnwPuEug1S.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2944
- - C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe
    "C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Searches\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\Idle.exe

Filesize
1.1MB

MD5
c3afb062a32abee475df9ecb28d322e9

SHA1
8e08314be5780ce8850b91f1cd6fbc644c80ab22

SHA256
a76ddaea2243bfdb575f724e427072790462ba6584a18f17dc5e33f71fab5dda

SHA512
fa4dccc22832a5b71089632bf78ea9efa558f56ab39be8739bdfc1306e174e0acb6bb692f96ec3a6c031e3bfb6441de8c1edba6115aa76a2aca1da461d3b635b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnwPuEug1S.bat

Filesize
222B

MD5
5112d8fd1e3637401b6d1f8615525747

SHA1
82d8bc501114e2a3dcf4c9614b8f138762743b13

SHA256
e528c36123d63e99bca8dc2ab78d36a9a91ba9066c034933d17e3df1b3acdb31

SHA512
4154ade1634333c6ca75546a16e278e04577ff0ac0f60909fc6a1152cd09ff4d0bb8123ca2214a9396f10fb489e818966e20451f2c26241528e30bc4f23faf3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SNR5UMCUKUYO670JB0YR.temp

Filesize
7KB

MD5
b53e46c9386933c72b06eafcec505409

SHA1
fa65cf1c014eb9133678e3a4b4c0ad0a875ab145

SHA256
e42d5b66d9ccb055e3f5e68ccafad633ff5a96c3f8c8856e055749c70fb8adbe

SHA512
b5574342eed6695671315d8d9024430d8afb568717056241d0e73685ceb11fac286a3117d74828b3d13098fe9820627a74e9a5380785e8c728bc80d941728918

Download Submit
C:\Users\Default\wininit.exe

Filesize
2.1MB

MD5
f4a675a3b47a85daa2e7905eba314760

SHA1
0e01e07ff8ed4ca94a1dcad2f2af26fd8cf431ba

SHA256
51b284bd1d8865e9d4fe9544c81882a7790a2ce32458249a25c9698329a0ea02

SHA512
d8a9cd69392fc775cef5d714128ca08a39a6a111e57ff248b64ba4126b89bbff4ca39bb5c117450e405619cefbec7ca01ad931c6ae7d9cb14c6d1822d478152d

Download Submit
C:\Windows\security\templates\sppsvc.exe

Filesize
2.1MB

MD5
47b59a4d46015001669fa4cc701672a3

SHA1
ff529a4a9777142078bb3660f10c338a0319e473

SHA256
99404b37e74403459bd0e4bd43ebbf8bad47a53486f8467656377ec74f3f8152

SHA512
f87bd1cd13a5841dfd847391db548b3b4c1a5d4f2014c0c6b6fc0e477085d1ff36ca5c9e77a813d50a7b06a9fe7ca5626a0b8e112c1bfc9b346e443f653665c4

Download Submit
memory/664-298-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1084-255-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1084-228-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1084-207-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1084-193-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1084-216-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1084-206-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1312-238-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1312-268-0x00000000028AB000-0x0000000002912000-memory.dmp

Filesize
412KB

Download
memory/1312-225-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1312-217-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1312-218-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1312-219-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1480-313-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2596-314-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2596-316-0x0000000002BC4000-0x0000000002BC7000-memory.dmp

Filesize
12KB

Download
memory/2744-239-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2744-231-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2744-232-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2776-312-0x0000000002C8B000-0x0000000002CF2000-memory.dmp

Filesize
412KB

Download
memory/2776-311-0x0000000002C84000-0x0000000002C87000-memory.dmp

Filesize
12KB

Download
memory/2776-310-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2792-215-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2792-214-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2792-211-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2792-213-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2792-205-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2792-227-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2792-229-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2792-212-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2920-208-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2920-209-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2920-210-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2920-260-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2920-299-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download
memory/2920-226-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2956-20-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2956-12-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2956-22-0x000000001A920000-0x000000001A92A000-memory.dmp

Filesize
40KB

Download
memory/2956-63-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2956-21-0x000000001A910000-0x000000001A91C000-memory.dmp

Filesize
48KB

Download
memory/2956-70-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2956-19-0x000000001A900000-0x000000001A90E000-memory.dmp

Filesize
56KB

Download
memory/2956-18-0x000000001A8F0000-0x000000001A8F8000-memory.dmp

Filesize
32KB

Download
memory/2956-17-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2956-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2956-15-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2956-14-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/2956-13-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2956-23-0x000000001A930000-0x000000001A93C000-memory.dmp

Filesize
48KB

Download
memory/2956-11-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2956-194-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-10-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2956-9-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2956-8-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/2956-0-0x0000000000F50000-0x0000000001166000-memory.dmp

Filesize
2.1MB

Download
memory/2956-7-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2956-6-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/2956-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-5-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2956-4-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2956-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2956-2-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2984-315-0x000007FEECE50000-0x000007FEED7ED000-memory.dmp

Filesize
9.6MB

Download