Analysis
-
max time kernel
593s -
max time network
589s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 15:41
Behavioral task
behavioral1
Sample
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
Resource
win11-20240709-en
General
-
Target
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
-
Size
2.0MB
-
MD5
6e4e01af6b88116f0c7331bba5e7b782
-
SHA1
756c0a5ea8aac86f41d118166452a011a608043c
-
SHA256
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
-
SHA512
f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b
-
SSDEEP
24576:jYe7C5QSBzoU/n15NuQtG+7IwzwT2wLqq12OBOa2WYO3QFSBztYSqEEU5oZUSzTO:jYemPM0tvmwGBF223ZztBqEqx9v
Malware Config
Signatures
-
DcRat 57 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1476 schtasks.exe 1000 schtasks.exe 3220 schtasks.exe 3048 schtasks.exe 5028 schtasks.exe 1592 schtasks.exe 4184 schtasks.exe 4824 schtasks.exe 1608 schtasks.exe 2124 schtasks.exe 2544 schtasks.exe 4664 schtasks.exe 1460 schtasks.exe 4700 schtasks.exe 4880 schtasks.exe 4844 schtasks.exe 4512 schtasks.exe 4812 schtasks.exe 2800 schtasks.exe 4772 schtasks.exe 3804 schtasks.exe 1976 schtasks.exe 3688 schtasks.exe 460 schtasks.exe 4080 schtasks.exe 1756 schtasks.exe 2528 schtasks.exe 4024 schtasks.exe 392 schtasks.exe 3720 schtasks.exe 1720 schtasks.exe 5032 schtasks.exe 5044 schtasks.exe 3924 schtasks.exe 2992 schtasks.exe 4032 schtasks.exe 388 schtasks.exe 4484 schtasks.exe 3276 schtasks.exe 252 schtasks.exe 2672 schtasks.exe 2288 schtasks.exe 3632 schtasks.exe 1164 schtasks.exe 2112 schtasks.exe 3672 schtasks.exe 768 schtasks.exe 1264 schtasks.exe 808 schtasks.exe 4204 schtasks.exe 8 schtasks.exe 3200 schtasks.exe 2320 schtasks.exe 3108 schtasks.exe 4492 schtasks.exe 3416 schtasks.exe 2348 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 19 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Registry.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 1800 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 252 1800 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/4696-1-0x0000000000440000-0x000000000064E000-memory.dmp dcrat C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\fontdrvhost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Executes dropped EXE 14 IoCs
Processes:
unsecapp.exespoolsv.exeRegistry.exewinlogon.exedwm.exeunsecapp.exelsass.exeStartMenuExperienceHost.exeRuntimeBroker.exesihost.exespoolsv.exeRegistry.exewinlogon.exefontdrvhost.exepid process 4900 unsecapp.exe 4392 spoolsv.exe 236 Registry.exe 4984 winlogon.exe 4448 dwm.exe 2504 unsecapp.exe 404 lsass.exe 740 StartMenuExperienceHost.exe 2664 RuntimeBroker.exe 2864 sihost.exe 3304 spoolsv.exe 5104 Registry.exe 2304 winlogon.exe 1504 fontdrvhost.exe -
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ModemLogs\\System.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\smss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\fr-FR\\sihost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\fr-FR\\sihost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Reference Assemblies\\Registry.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Tasks\\csrss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ModemLogs\\System.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\smss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Reference Assemblies\\Registry.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Tasks\\csrss.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com 75 ip-api.com 79 ip-api.com 83 ip-api.com 88 ip-api.com 92 ip-api.com -
Drops file in Program Files directory 14 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process File created C:\Program Files\Windows Photo Viewer\smss.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Reference Assemblies\Registry.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Mail\55b276f4edf653 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Windows Defender\dwm.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Windows Defender\6cb0b6c459d5d3 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\eddb19405b7ce1 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Windows Mail\eddb19405b7ce1 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Photo Viewer\69ddcba757bf72 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Reference Assemblies\ee2ad38f3d4382 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Mail\StartMenuExperienceHost.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\WindowsPowerShell\Configuration\Registration\6203df4a6bafc7 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Drops file in Windows directory 8 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process File created C:\Windows\Tasks\886983d96e3d3e 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\ModemLogs\System.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\ModemLogs\27d1bcfc3c54e0 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\fr-FR\sihost.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\fr-FR\66fc9ff0ee96c2 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\Performance\WinSAT\DataStore\winlogon.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\Performance\WinSAT\DataStore\cc11b995f2a76d 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\Tasks\csrss.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1608 schtasks.exe 2320 schtasks.exe 1264 schtasks.exe 3632 schtasks.exe 1164 schtasks.exe 4772 schtasks.exe 768 schtasks.exe 388 schtasks.exe 460 schtasks.exe 2544 schtasks.exe 4032 schtasks.exe 3108 schtasks.exe 2528 schtasks.exe 1976 schtasks.exe 3804 schtasks.exe 3048 schtasks.exe 1592 schtasks.exe 4024 schtasks.exe 392 schtasks.exe 2124 schtasks.exe 4844 schtasks.exe 3276 schtasks.exe 2112 schtasks.exe 808 schtasks.exe 3416 schtasks.exe 4664 schtasks.exe 2800 schtasks.exe 3688 schtasks.exe 4824 schtasks.exe 3924 schtasks.exe 5028 schtasks.exe 3200 schtasks.exe 2288 schtasks.exe 4512 schtasks.exe 5032 schtasks.exe 2672 schtasks.exe 4880 schtasks.exe 4700 schtasks.exe 252 schtasks.exe 4184 schtasks.exe 1756 schtasks.exe 5044 schtasks.exe 4492 schtasks.exe 4204 schtasks.exe 4080 schtasks.exe 4812 schtasks.exe 3720 schtasks.exe 4484 schtasks.exe 1460 schtasks.exe 1000 schtasks.exe 3672 schtasks.exe 2992 schtasks.exe 2348 schtasks.exe 8 schtasks.exe 1476 schtasks.exe 1720 schtasks.exe 3220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exeunsecapp.exespoolsv.exepid process 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4900 unsecapp.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe 4392 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exeunsecapp.exespoolsv.exeRegistry.exewinlogon.exedwm.exeunsecapp.exelsass.exeStartMenuExperienceHost.exeRuntimeBroker.exesihost.exespoolsv.exeRegistry.exewinlogon.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Token: SeDebugPrivilege 4900 unsecapp.exe Token: SeDebugPrivilege 4392 spoolsv.exe Token: SeDebugPrivilege 236 Registry.exe Token: SeDebugPrivilege 4984 winlogon.exe Token: SeDebugPrivilege 4448 dwm.exe Token: SeDebugPrivilege 2504 unsecapp.exe Token: SeDebugPrivilege 404 lsass.exe Token: SeDebugPrivilege 740 StartMenuExperienceHost.exe Token: SeDebugPrivilege 2664 RuntimeBroker.exe Token: SeDebugPrivilege 2864 sihost.exe Token: SeDebugPrivilege 3304 spoolsv.exe Token: SeDebugPrivilege 5104 Registry.exe Token: SeDebugPrivilege 2304 winlogon.exe Token: SeDebugPrivilege 1504 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.execmd.exedescription pid process target process PID 4696 wrote to memory of 1080 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe cmd.exe PID 4696 wrote to memory of 1080 4696 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe cmd.exe PID 1080 wrote to memory of 2284 1080 cmd.exe w32tm.exe PID 1080 wrote to memory of 2284 1080 cmd.exe w32tm.exe PID 1080 wrote to memory of 4900 1080 cmd.exe unsecapp.exe PID 1080 wrote to memory of 4900 1080 cmd.exe unsecapp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3NBm7OqwB.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2284
-
C:\Recovery\WindowsRE\unsecapp.exe"C:\Recovery\WindowsRE\unsecapp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:252
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
C:\Program Files (x86)\Reference Assemblies\Registry.exe"C:\Program Files (x86)\Reference Assemblies\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:236
-
C:\Windows\Performance\WinSAT\DataStore\winlogon.exeC:\Windows\Performance\WinSAT\DataStore\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
C:\Program Files (x86)\Windows Defender\dwm.exe"C:\Program Files (x86)\Windows Defender\dwm.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe"C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404
-
C:\Program Files\Windows Mail\StartMenuExperienceHost.exe"C:\Program Files\Windows Mail\StartMenuExperienceHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740
-
C:\Users\Admin\Downloads\RuntimeBroker.exeC:\Users\Admin\Downloads\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\fr-FR\sihost.exeC:\Windows\fr-FR\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
C:\Program Files (x86)\Reference Assemblies\Registry.exe"C:\Program Files (x86)\Reference Assemblies\Registry.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
C:\Windows\Performance\WinSAT\DataStore\winlogon.exeC:\Windows\Performance\WinSAT\DataStore\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
C:\Users\Default\SendTo\fontdrvhost.exeC:\Users\Default\SendTo\fontdrvhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
1KB
MD55cb90c90e96a3b36461ed44d339d02e5
SHA15508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA25634c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA51263735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4
-
Filesize
199B
MD5db6c56559b8257f945f326fabaf44c25
SHA1135af524ae2ce332a4e624450c9d5f23bfd806f2
SHA2562f0a232de63b35b8b50831f2524c119e1bd433aa9c1ad72ed8ae745dfba1b34e
SHA512f273bbb26ad07fc57fc3de00b135ac6d229985ebe3d505325c7746aef1bea7070283f51470589d6f4ed5be3ed6fb4c599963005a5c4854898b8cec0eb1a3039d
-
Filesize
2.0MB
MD56e4e01af6b88116f0c7331bba5e7b782
SHA1756c0a5ea8aac86f41d118166452a011a608043c
SHA2565a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b