dcrat | b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

Analysis

max time kernel
50s
max time network
68s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27603eafb6dd5000efc17b4d67e142aa.exe
Size

999KB
MD5

27603eafb6dd5000efc17b4d67e142aa
SHA1

bb6cfbad15876e4d37a7355618d6d29ab487245a
SHA256

cca55400b39ebc83a4b99277a47d4f83e0af9172b5f8008427ecab55d5c63f67
SHA512

b3aadec99d7c1fab9ded1efe5023537d6675fe16ef18bda9885722ca76cc008ba0676106c559300fbb412351a72aa9c959c524d049e794bd22fa1b418d592661
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\", \"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\ProgramData\\Start Menu\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Downloads\\lsm.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\", \"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\", \"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\", \"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\ProgramData\\Start Menu\\WmiPrvSE.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\", \"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\", \"C:\\ProgramData\\Documents\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\", \"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\", \"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\", \"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\ProgramData\\Start Menu\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3020	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	3020	schtasks.exe	29

Executes dropped EXE 2 IoCs

pid	Process
2084	27603eafb6dd5000efc17b4d67e142aa.exe
2060	wininit.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\RemotePackages\\RemoteApps\\dllhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Sidebar\\es-ES\\WmiPrvSE.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\smss.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\wininit.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\services.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Documents\\Idle.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27603eafb6dd5000efc17b4d67e142aa = "\"C:\\Users\\Public\\Favorites\\27603eafb6dd5000efc17b4d67e142aa.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Documents\\My Music\\Idle.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Journal\\en-US\\wininit.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ProgramData\\Start Menu\\WmiPrvSE.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Admin\\Downloads\\lsm.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\taskhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\en-US\RCX6961.tmp	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\RCX69DF.tmp	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Sidebar\es-ES\24dbde2999530e	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\69ddcba757bf72	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\taskhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\taskhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\wininit.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Sidebar\es-ES\WmiPrvSE.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\smss.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\smss.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\taskhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\b75386f1303e64	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Journal\en-US\wininit.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\WmiPrvSE.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Journal\en-US\56085415360792	27603eafb6dd5000efc17b4d67e142aa.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemotePackages\RemoteApps\dllhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Windows\RemotePackages\RemoteApps\5940a34987c991	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX674D.tmp	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX674E.tmp	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Windows\RemotePackages\RemoteApps\dllhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
784	schtasks.exe
2488	schtasks.exe
1656	schtasks.exe
2788	schtasks.exe
2580	schtasks.exe
2448	schtasks.exe
1400	schtasks.exe
1592	schtasks.exe
2736	schtasks.exe
2928	schtasks.exe
548	schtasks.exe
1888	schtasks.exe
1100	schtasks.exe
1448	schtasks.exe
2052	schtasks.exe
2204	schtasks.exe
3040	schtasks.exe
3036	schtasks.exe
108	schtasks.exe
2452	schtasks.exe
940	schtasks.exe
2468	schtasks.exe
2228	schtasks.exe
708	schtasks.exe
2824	schtasks.exe
2716	schtasks.exe
800	schtasks.exe
576	schtasks.exe
2160	schtasks.exe
2700	schtasks.exe
3048	schtasks.exe
2100	schtasks.exe
2572	schtasks.exe
1932	schtasks.exe
2356	schtasks.exe
1556	schtasks.exe
2284	schtasks.exe
1872	schtasks.exe
2924	schtasks.exe
1184	schtasks.exe
2724	schtasks.exe
1700	schtasks.exe
2428	schtasks.exe
1956	schtasks.exe
2668	schtasks.exe
620	schtasks.exe
1976	schtasks.exe
2356	schtasks.exe
1640	schtasks.exe
2660	schtasks.exe
2220	schtasks.exe
3052	schtasks.exe
2980	schtasks.exe
876	schtasks.exe
1312	schtasks.exe
2436	schtasks.exe
2384	schtasks.exe
1020	schtasks.exe
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3000	27603eafb6dd5000efc17b4d67e142aa.exe
2084	27603eafb6dd5000efc17b4d67e142aa.exe
2084	27603eafb6dd5000efc17b4d67e142aa.exe
2084	27603eafb6dd5000efc17b4d67e142aa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	27603eafb6dd5000efc17b4d67e142aa.exe
Token: SeDebugPrivilege	2084	27603eafb6dd5000efc17b4d67e142aa.exe
Token: SeDebugPrivilege	2060	wininit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1124	3000	27603eafb6dd5000efc17b4d67e142aa.exe	42
PID 3000 wrote to memory of 1124	3000	27603eafb6dd5000efc17b4d67e142aa.exe	42
PID 3000 wrote to memory of 1124	3000	27603eafb6dd5000efc17b4d67e142aa.exe	42
PID 1124 wrote to memory of 1752	1124	cmd.exe	44
PID 1124 wrote to memory of 1752	1124	cmd.exe	44
PID 1124 wrote to memory of 1752	1124	cmd.exe	44
PID 1124 wrote to memory of 2084	1124	cmd.exe	45
PID 1124 wrote to memory of 2084	1124	cmd.exe	45
PID 1124 wrote to memory of 2084	1124	cmd.exe	45
PID 2084 wrote to memory of 2060	2084	27603eafb6dd5000efc17b4d67e142aa.exe	94
PID 2084 wrote to memory of 2060	2084	27603eafb6dd5000efc17b4d67e142aa.exe	94
PID 2084 wrote to memory of 2060	2084	27603eafb6dd5000efc17b4d67e142aa.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\27603eafb6dd5000efc17b4d67e142aa.exe
"C:\Users\Admin\AppData\Local\Temp\27603eafb6dd5000efc17b4d67e142aa.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NnGM38uG2C.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\27603eafb6dd5000efc17b4d67e142aa.exe
    "C:\Users\Admin\AppData\Local\Temp\27603eafb6dd5000efc17b4d67e142aa.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\ProgramData\Adobe\Acrobat\9.0\wininit.exe
      "C:\ProgramData\Adobe\Acrobat\9.0\wininit.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Program Files\Windows Sidebar\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\ProgramData\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONSTART /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\ProgramData\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Adobe\Acrobat\9.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27603eafb6dd5000efc17b4d67e142aa" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\27603eafb6dd5000efc17b4d67e142aa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27603eafb6dd5000efc17b4d67e142aa" /sc ONLOGON /tr "'C:\Users\Public\Favorites\27603eafb6dd5000efc17b4d67e142aa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27603eafb6dd5000efc17b4d67e142aa" /sc ONSTART /tr "'C:\Users\Public\Favorites\27603eafb6dd5000efc17b4d67e142aa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27603eafb6dd5000efc17b4d67e142aa2" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\27603eafb6dd5000efc17b4d67e142aa.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\Users\Default\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONSTART /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\ProgramData\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Start Menu\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Users\Admin\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Journal\en-US\wininit.exe

Filesize
999KB

MD5
d2e42b8b6c3342bcf9d8c353c5b71a1c

SHA1
8e12e00a2895e36c1cb3ed6fad0eaafdcc1a7173

SHA256
5e90173dee591a0e88eb7fe3af3583cbb4fdf9f744c43a017018866edb72fc35

SHA512
20d52341f31460b4d85fea25825e2311b8ea0f22a5aa9ad5b426e086d09b843f097c15f4086a5ad237267cb0fca46f554245d722f5235d5950f7a66885bcec91

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnGM38uG2C.bat

Filesize
234B

MD5
a71d9899235aedb14b88c1ccddbb6263

SHA1
7f7171e223c807b6d228518cf0e0aa4903d5feb1

SHA256
a99ff164eb367bf7761396bcbdeee323a319681724b4398dd7b7a4b90cccb7ad

SHA512
a8fba0d9dc47552e06cbb18c9ad42a5b8a4806fa79dee858c1ded1919611dc1921c9d2fb8bd6e713bc2b209a1ab96a3c179f7a7cd720dc526429c6f3962790d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX652A.tmp

Filesize
999KB

MD5
27603eafb6dd5000efc17b4d67e142aa

SHA1
bb6cfbad15876e4d37a7355618d6d29ab487245a

SHA256
cca55400b39ebc83a4b99277a47d4f83e0af9172b5f8008427ecab55d5c63f67

SHA512
b3aadec99d7c1fab9ded1efe5023537d6675fe16ef18bda9885722ca76cc008ba0676106c559300fbb412351a72aa9c959c524d049e794bd22fa1b418d592661

Download Submit
memory/2060-121-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/2084-66-0x00000000012D0000-0x00000000013D0000-memory.dmp

Filesize
1024KB

Download
memory/3000-4-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/3000-7-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/3000-6-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/3000-8-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/3000-9-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/3000-10-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/3000-11-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/3000-5-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/3000-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/3000-3-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-64-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-2-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/3000-1-0x00000000010F0000-0x00000000011F0000-memory.dmp

Filesize
1024KB

Download