dcrat | 37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5

Analysis

max time kernel
102s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6982d011a327e88728cfc8b6305503b.exe
Size

999KB
MD5

b6982d011a327e88728cfc8b6305503b
SHA1

062fa217e9e470a4519cf52317103cebe8df8d20
SHA256

219bf63bcfc9f321c2a5c0ca3aca0e5dfff80d7dd75537ebf2e7df9aac879ec1
SHA512

32523771889fa8ad9bba0b0a4537ec8794b29a4ef68d3084e3886162bb2fdefd8251924a042bad7b5b28ef14b08aa3b81478195530c6875e78878c7355bee910
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\f170d29a37c9c9775251\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\f170d29a37c9c9775251\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Users\\Default\\Templates\\OfficeClickToRun.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\f170d29a37c9c9775251\\backgroundTaskHost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\unsecapp.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\unsecapp.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\f170d29a37c9c9775251\\upfc.exe\", \"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\", \"C:\\f170d29a37c9c9775251\\sihost.exe\", \"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\", \"C:\\f170d29a37c9c9775251\\winlogon.exe\", \"C:\\7330c8a20692d0b35002ea5a\\services.exe\", \"C:\\f170d29a37c9c9775251\\Idle.exe\", \"C:\\Windows\\ModemLogs\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\""	b6982d011a327e88728cfc8b6305503b.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6052	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5940	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5912	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5552	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5892	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	5416	schtasks.exe	88

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	b6982d011a327e88728cfc8b6305503b.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	services.exe

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\WindowsHolographicDevices\\backgroundTaskHost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\7330c8a20692d0b35002ea5a\\StartMenuExperienceHost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\USOShared\\Logs\\User\\dwm.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\7330c8a20692d0b35002ea5a\\dllhost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Multimedia Platform\\unsecapp.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\f170d29a37c9c9775251\\upfc.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\ModemLogs\\taskhostw.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\f170d29a37c9c9775251\\Idle.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\services.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sppsvc.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\f170d29a37c9c9775251\\backgroundTaskHost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\f170d29a37c9c9775251\\sihost.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\f170d29a37c9c9775251\\winlogon.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\7330c8a20692d0b35002ea5a\\services.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Application Data\\lsass.exe\""	b6982d011a327e88728cfc8b6305503b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default\\Templates\\OfficeClickToRun.exe\""	b6982d011a327e88728cfc8b6305503b.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\services.exe	b6982d011a327e88728cfc8b6305503b.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\c5b4cb5e9653cc	b6982d011a327e88728cfc8b6305503b.exe
File created	C:\Program Files\Windows Multimedia Platform\29c1c3cc0f7685	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX9B06.tmp	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\unsecapp.exe	b6982d011a327e88728cfc8b6305503b.exe
File created	C:\Program Files\Windows Multimedia Platform\unsecapp.exe	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCX9601.tmp	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCX9602.tmp	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\services.exe	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX9B07.tmp	b6982d011a327e88728cfc8b6305503b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\ea9f0e6c9e2dcd	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Windows\ModemLogs\RCX8EF6.tmp	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Windows\ModemLogs\RCX8EF7.tmp	b6982d011a327e88728cfc8b6305503b.exe
File opened for modification	C:\Windows\ModemLogs\taskhostw.exe	b6982d011a327e88728cfc8b6305503b.exe
File created	C:\Windows\ModemLogs\taskhostw.exe	b6982d011a327e88728cfc8b6305503b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5892	schtasks.exe
4516	schtasks.exe
4920	schtasks.exe
3980	schtasks.exe
2312	schtasks.exe
3576	schtasks.exe
5940	schtasks.exe
4844	schtasks.exe
4028	schtasks.exe
996	schtasks.exe
4572	schtasks.exe
4560	schtasks.exe
4656	schtasks.exe
836	schtasks.exe
1660	schtasks.exe
3536	schtasks.exe
5428	schtasks.exe
3768	schtasks.exe
4664	schtasks.exe
5240	schtasks.exe
6048	schtasks.exe
1288	schtasks.exe
4100	schtasks.exe
4876	schtasks.exe
5588	schtasks.exe
2240	schtasks.exe
6052	schtasks.exe
4892	schtasks.exe
3004	schtasks.exe
1904	schtasks.exe
4936	schtasks.exe
4636	schtasks.exe
4452	schtasks.exe
1528	schtasks.exe
2172	schtasks.exe
512	schtasks.exe
4628	schtasks.exe
5160	schtasks.exe
4676	schtasks.exe
4776	schtasks.exe
4172	schtasks.exe
3832	schtasks.exe
544	schtasks.exe
1028	schtasks.exe
3480	schtasks.exe
3692	schtasks.exe
5380	schtasks.exe
5608	schtasks.exe
5332	schtasks.exe
2180	schtasks.exe
396	schtasks.exe
2908	schtasks.exe
4992	schtasks.exe
5064	schtasks.exe
3508	schtasks.exe
4760	schtasks.exe
4912	schtasks.exe
4212	schtasks.exe
440	schtasks.exe
4588	schtasks.exe
2880	schtasks.exe
2032	schtasks.exe
2020	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe
920	b6982d011a327e88728cfc8b6305503b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	b6982d011a327e88728cfc8b6305503b.exe
Token: SeDebugPrivilege	4516	services.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4516	920	b6982d011a327e88728cfc8b6305503b.exe	171
PID 920 wrote to memory of 4516	920	b6982d011a327e88728cfc8b6305503b.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6982d011a327e88728cfc8b6305503b.exe
"C:\Users\Admin\AppData\Local\Temp\b6982d011a327e88728cfc8b6305503b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Program Files (x86)\Internet Explorer\it-IT\services.exe
  "C:\Program Files (x86)\Internet Explorer\it-IT\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 8 /tr "'C:\ProgramData\WindowsHolographicDevices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONSTART /tr "'C:\ProgramData\WindowsHolographicDevices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\ProgramData\WindowsHolographicDevices\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONSTART /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 5 /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 7 /tr "'C:\ProgramData\USOShared\Logs\User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\USOShared\Logs\User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\ProgramData\USOShared\Logs\User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\ProgramData\USOShared\Logs\User\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\7330c8a20692d0b35002ea5a\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONSTART /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\7330c8a20692d0b35002ea5a\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 12 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONSTART /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONSTART /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\ProgramData\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Application Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONSTART /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONSTART /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7330c8a20692d0b35002ea5a\services.exe

Filesize
999KB

MD5
f46903e57041521e6499caf17a8422df

SHA1
21235a1e2c257ef24796ad212003e26811020299

SHA256
149f47ca094c65bb2980358fd4b338ce28fe0f5b4baca62bbd1f2263dbb0ca03

SHA512
5bba192717d0cf98c5a480932da2e9cabd8350da588943f629cc84c4587eeaae2d77b5cbe6f45cbe3fbc41c26d7caa3eab4e47cdeb333a9e799b815aef9e6863

Download Submit
C:\ProgramData\USOShared\Logs\User\dwm.exe

Filesize
999KB

MD5
9ec8f304f8129e7eba324aec5b0520e4

SHA1
c1bbaef65ce19f14cdb59469bf27863df337350d

SHA256
c9093862c7c681c1fdfd38b1442258df1dfddf4534af7ddf6d3fad3fdf60c2bf

SHA512
9d26c716d7e83bb75a172fd07bb5548942178dd6e409925a1892560ba9a176bd6049166f45ee0c9bd6a683ac234959742c67578a333defb90f35df09b78b7f2c

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
999KB

MD5
1df9957ef02d8a930a244d1da17131c6

SHA1
34f42a3ec1b9c39fc3527bdf0014b50b215de854

SHA256
fbc69dc1f7035363182ea2668cb4c918b08946165226510216bd0eb43f3ea1e8

SHA512
df60cbb5e2a27bd3521a67728bf90081b808cb14424c1958d227315c77803b7366b64c80bef75ccbb45924b052ade7443be596530c3ee72be6051f97f15363c4

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
999KB

MD5
54efa0b529f22f32ce97d7751e87c811

SHA1
c07acf601b68aa2afdf0067ddfb36fdd17957f16

SHA256
b14f772405779d966241bcb78754cbdb2a93b29273ebb595bb0e0bd23c3750f4

SHA512
ebda678ccf5109d0b44cab6dbf114c8921fdf8592714e1c0cb6303e368c67e1400bb779bdc1e9559fc68179c09d1c65b9c37cd98d389aa7c0d2d1fba38d7ab8f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\RCXA494.tmp

Filesize
999KB

MD5
94b96bf7c9bd3950e160e35339a66b96

SHA1
0e9a4bc63eb28a4ac097fa0f92894d01698b9eaa

SHA256
55f8ac7858c652c0f364a6f5d7cdffcdd051b05bc20c6725d6a1633d3a449caf

SHA512
afa5ffb3140d4ace94b48d3d30e981fe7305f9251597809c172dd73408d6f0d142f3784566aa1ff8a61dfbc96803b1e406aa30fdc0a33958ddf9cbad065e08e2

Download Submit
C:\f170d29a37c9c9775251\Idle.exe

Filesize
999KB

MD5
a307b8a33b5967ce76ec9edf404e0bc4

SHA1
36f6449f477dfbaab081494af4d9ec0c659371e2

SHA256
00099538a1a15454cd0ad92deacbd3f3781fbe7ba672b675b48b1a4ac5911fc9

SHA512
08c74e3dfedbd0431e7bc7f5875311b7996d967121bb003095dbf0a5b76ae66efdf658697691757a78768e800fdc7c33e3b552679e1fb8e44586292975d70a0f

Download Submit
C:\f170d29a37c9c9775251\sihost.exe

Filesize
999KB

MD5
b6982d011a327e88728cfc8b6305503b

SHA1
062fa217e9e470a4519cf52317103cebe8df8d20

SHA256
219bf63bcfc9f321c2a5c0ca3aca0e5dfff80d7dd75537ebf2e7df9aac879ec1

SHA512
32523771889fa8ad9bba0b0a4537ec8794b29a4ef68d3084e3886162bb2fdefd8251924a042bad7b5b28ef14b08aa3b81478195530c6875e78878c7355bee910

Download Submit
memory/920-7-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/920-0-0x00007FFBEE583000-0x00007FFBEE585000-memory.dmp

Filesize
8KB

Download
memory/920-9-0x0000000002700000-0x000000000270E000-memory.dmp

Filesize
56KB

Download
memory/920-10-0x0000000002710000-0x000000000271C000-memory.dmp

Filesize
48KB

Download
memory/920-11-0x0000000002720000-0x000000000272C000-memory.dmp

Filesize
48KB

Download
memory/920-3-0x00000000026A0000-0x00000000026BC000-memory.dmp

Filesize
112KB

Download
memory/920-6-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/920-8-0x00000000026F0000-0x00000000026FC000-memory.dmp

Filesize
48KB

Download
memory/920-4-0x000000001B220000-0x000000001B270000-memory.dmp

Filesize
320KB

Download
memory/920-5-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/920-181-0x00007FFBEE583000-0x00007FFBEE585000-memory.dmp

Filesize
8KB

Download
memory/920-205-0x00007FFBEE580000-0x00007FFBEF041000-memory.dmp

Filesize
10.8MB

Download
memory/920-2-0x00007FFBEE580000-0x00007FFBEF041000-memory.dmp

Filesize
10.8MB

Download
memory/920-1-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/920-285-0x00007FFBEE580000-0x00007FFBEF041000-memory.dmp

Filesize
10.8MB

Download