dcrat | 00fbff74e62a2049c82198024aacf705b2d87aa55b3be4dc78d8547f4ed1e087

General

Target

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Size

1.4MB
MD5

13aeda86aafde4051d7ca9280dac9a67
SHA1

fd4a6168c79c28d6e25be7c799ffd25c2dbd69d0
SHA256

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111
SHA512

ddfc9a2a5a2f3b83023eecf4053de1930ebf9486d1cff869ab6d2199c5978926b2c4a6468358c627f4cff16a235c8d23b98711d8b3bf608ed03f4e4d7d7d0194
SSDEEP

24576:Lw/d/t+9SDGMoRNkj63uYnqzW1yqCc/CfVsdEYXHo1o9edFt4k:M/d/HP6+Ynb18Kfdx3IoIt

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\sysmon.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\sysmon.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Idle.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\sysmon.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\sysmon.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Idle.exe\", \"C:\\Windows\\tracing\\explorer.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Pictures\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\", \"C:\\Users\\Public\\AccountPictures\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Documents\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2036	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/368-0-0x00000000006E0000-0x0000000000846000-memory.dmp	dcrat
C:\Program Files\MSBuild\Microsoft\Idle.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

3792 Idle.exe

pid	process
3792	Idle.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\sysmon.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\All Users\\Documents\\Registry.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\tracing\\explorer.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\My Videos\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\sysmon.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\AccountPictures\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\csrss.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\MSBuild\\Microsoft\\Idle.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\tracing\\explorer.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Pictures\\sppsvc.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\AccountPictures\\wininit.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\All Users\\Documents\\Registry.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Photo Viewer\\winlogon.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Pictures\\sppsvc.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\MSBuild\\Microsoft\\Idle.exe\""	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

Drops file in Program Files directory 11 IoCs

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

description	ioc	process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\Windows Photo Viewer\winlogon.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\Windows Photo Viewer\cc11b995f2a76d	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\886983d96e3d3e	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\MSBuild\Microsoft\Idle.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\MSBuild\Microsoft\6ccacd8608530f	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\winlogon.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\csrss.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\sysmon.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\121e5b5079f7c0	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

Drops file in Windows directory 2 IoCs

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

description	ioc	process
File created	C:\Windows\tracing\explorer.exe	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
File created	C:\Windows\tracing\7a0fd90576e088	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4708	schtasks.exe
3860	schtasks.exe
3980	schtasks.exe
1068	schtasks.exe
1052	schtasks.exe
3240	schtasks.exe
1616	schtasks.exe
1324	schtasks.exe
1544	schtasks.exe
3116	schtasks.exe
2012	schtasks.exe
640	schtasks.exe
1076	schtasks.exe
1888	schtasks.exe
3364	schtasks.exe
688	schtasks.exe
4480	schtasks.exe
316	schtasks.exe
4632	schtasks.exe
3880	schtasks.exe
1928	schtasks.exe
2076	schtasks.exe
2520	schtasks.exe
3816	schtasks.exe
2108	schtasks.exe
2964	schtasks.exe
3380	schtasks.exe
3248	schtasks.exe
556	schtasks.exe
4192	schtasks.exe
3504	schtasks.exe
3128	schtasks.exe
4388	schtasks.exe
5044	schtasks.exe
4620	schtasks.exe
3464	schtasks.exe
4704	schtasks.exe
4988	schtasks.exe
2960	schtasks.exe
3224	schtasks.exe
2832	schtasks.exe
5068	schtasks.exe
4356	schtasks.exe
1640	schtasks.exe
2376	schtasks.exe
1672	schtasks.exe
728	schtasks.exe
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exeIdle.exe

pid	process
368	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
368	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
368	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
3792	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exeIdle.exe

description	pid	process
Token: SeDebugPrivilege	368	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
Token: SeDebugPrivilege	3792	Idle.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe

description	pid	process	target process
PID 368 wrote to memory of 3792	368	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe	Idle.exe
PID 368 wrote to memory of 3792	368	01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe
"C:\Users\Admin\AppData\Local\Temp\01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files\MSBuild\Microsoft\Idle.exe
"C:\Program Files\MSBuild\Microsoft\Idle.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\Idle.exe
Filesize
1.4MB

MD5
13aeda86aafde4051d7ca9280dac9a67

SHA1
fd4a6168c79c28d6e25be7c799ffd25c2dbd69d0

SHA256
01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111

SHA512
ddfc9a2a5a2f3b83023eecf4053de1930ebf9486d1cff869ab6d2199c5978926b2c4a6468358c627f4cff16a235c8d23b98711d8b3bf608ed03f4e4d7d7d0194

Download Submit
memory/368-4-0x0000000002B50000-0x0000000002B6C000-memory.dmp

Filesize
112KB

Download
memory/368-5-0x000000001B9F0000-0x000000001BA40000-memory.dmp

Filesize
320KB

Download
memory/368-3-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/368-7-0x000000001B480000-0x000000001B490000-memory.dmp

Filesize
64KB

Download
memory/368-10-0x000000001BA40000-0x000000001BA48000-memory.dmp

Filesize
32KB

Download
memory/368-8-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

Filesize
72KB

Download
memory/368-2-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/368-0-0x00000000006E0000-0x0000000000846000-memory.dmp

Filesize
1.4MB

Download
memory/368-6-0x000000001B9A0000-0x000000001B9B6000-memory.dmp

Filesize
88KB

Download
memory/368-9-0x000000001C0C0000-0x000000001C5E8000-memory.dmp

Filesize
5.2MB

Download
memory/368-1-0x00007FFF4ABE0000-0x00007FFF4B6A1000-memory.dmp

Filesize
10.8MB

Download
memory/368-55-0x00007FFF4ABE0000-0x00007FFF4B6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3792-56-0x000000001BF90000-0x000000001BFA0000-memory.dmp

Filesize
64KB

Download
memory/3792-54-0x00007FFF4ABE0000-0x00007FFF4B6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3792-57-0x0000000001A40000-0x0000000001A52000-memory.dmp

Filesize
72KB

Download
memory/3792-59-0x00007FFF4ABE0000-0x00007FFF4B6A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads