dcrat | d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

Analysis

max time kernel
44s
max time network
68s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3fba9224cbcf82f7414bdb4108a150.exe
Size

999KB
MD5

2b3fba9224cbcf82f7414bdb4108a150
SHA1

635d95fb9bab5e8064fad1dd0fa6092633931f38
SHA256

30af24055c179294f9ad01cf551c4cce6d901cbaaeaf371e4cc3a7f584e994ba
SHA512

e4a960c6a8d273ef0d8bcf7f9943d17b4d2c4cd7dfe5620afe46d16ec87f1bbf564fa0b298d6e5bff40a350c58913b5e4576c46a8adefa8775895c98400422f8
SSDEEP

12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\ProgramData\\Desktop\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\winlogon.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\ProgramData\\Desktop\\dwm.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe

Process spawned unexpected child process 56 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2936	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2936	schtasks.exe	29

Executes dropped EXE 1 IoCs

pid	Process
2004	explorer.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\explorer.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\wininit.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\smss.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Desktop\\dwm.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\lsass.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\spoolsv.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\smss.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\winlogon.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	2b3fba9224cbcf82f7414bdb4108a150.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXD67C.tmp	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE2B7.tmp	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE239.tmp	2b3fba9224cbcf82f7414bdb4108a150.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe	2b3fba9224cbcf82f7414bdb4108a150.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\56085415360792	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXD6BB.tmp	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXD9AA.tmp	2b3fba9224cbcf82f7414bdb4108a150.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\f3b6ecef712a24	2b3fba9224cbcf82f7414bdb4108a150.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	2b3fba9224cbcf82f7414bdb4108a150.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe	2b3fba9224cbcf82f7414bdb4108a150.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXD93C.tmp	2b3fba9224cbcf82f7414bdb4108a150.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe	2b3fba9224cbcf82f7414bdb4108a150.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\System.exe	2b3fba9224cbcf82f7414bdb4108a150.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 56 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe
1448	schtasks.exe
2516	schtasks.exe
844	schtasks.exe
1816	schtasks.exe
2020	schtasks.exe
2472	schtasks.exe
1584	schtasks.exe
3052	schtasks.exe
1532	schtasks.exe
2016	schtasks.exe
1536	schtasks.exe
1640	schtasks.exe
2552	schtasks.exe
832	schtasks.exe
3020	schtasks.exe
972	schtasks.exe
524	schtasks.exe
388	schtasks.exe
2632	schtasks.exe
316	schtasks.exe
1132	schtasks.exe
2440	schtasks.exe
2508	schtasks.exe
1728	schtasks.exe
2080	schtasks.exe
1708	schtasks.exe
2820	schtasks.exe
1304	schtasks.exe
2532	schtasks.exe
900	schtasks.exe
800	schtasks.exe
2076	schtasks.exe
2268	schtasks.exe
1780	schtasks.exe
2836	schtasks.exe
2728	schtasks.exe
2172	schtasks.exe
1220	schtasks.exe
1408	schtasks.exe
1988	schtasks.exe
2872	schtasks.exe
3016	schtasks.exe
2996	schtasks.exe
2032	schtasks.exe
924	schtasks.exe
1652	schtasks.exe
2884	schtasks.exe
2812	schtasks.exe
1984	schtasks.exe
1804	schtasks.exe
2672	schtasks.exe
2168	schtasks.exe
1636	schtasks.exe
2904	schtasks.exe
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3008	2b3fba9224cbcf82f7414bdb4108a150.exe
3008	2b3fba9224cbcf82f7414bdb4108a150.exe
3008	2b3fba9224cbcf82f7414bdb4108a150.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	2b3fba9224cbcf82f7414bdb4108a150.exe
Token: SeDebugPrivilege	2004	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2708	3008	2b3fba9224cbcf82f7414bdb4108a150.exe	87
PID 3008 wrote to memory of 2708	3008	2b3fba9224cbcf82f7414bdb4108a150.exe	87
PID 3008 wrote to memory of 2708	3008	2b3fba9224cbcf82f7414bdb4108a150.exe	87
PID 2708 wrote to memory of 800	2708	cmd.exe	89
PID 2708 wrote to memory of 800	2708	cmd.exe	89
PID 2708 wrote to memory of 800	2708	cmd.exe	89
PID 2708 wrote to memory of 2004	2708	cmd.exe	90
PID 2708 wrote to memory of 2004	2708	cmd.exe	90
PID 2708 wrote to memory of 2004	2708	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b3fba9224cbcf82f7414bdb4108a150.exe
"C:\Users\Admin\AppData\Local\Temp\2b3fba9224cbcf82f7414bdb4108a150.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1vwDPskygt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:800
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Microsoft\Search\Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\Search\Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\ProgramData\Microsoft\Search\Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Microsoft\Search\Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\ProgramData\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe

Filesize
999KB

MD5
621c74cd0e48adc16682d10b8fda4c3d

SHA1
12d8ee92816a51dfd66437d25bb29a0ee2d245dc

SHA256
62a682d17ebb7aeb53c917b9068f10e0d92b740759ce46e66d87dd418d79a377

SHA512
f152a4c9b42412e1ff04ce5a84c1961a07afd5b70107d94f9106998da3cbcfd46e85e7cc4a2944c21da1218fc420377ad03e145c2581d8b238c5041c996aac72

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe

Filesize
999KB

MD5
4149dd2ba86b2c09ed13c78e9855d923

SHA1
6d4101bf99c6bb71e70abc414ec8901c842ff5f7

SHA256
80be58cd463ba1c3693198cab812653048bcb9dbe361fb335e702bb1fe17e9f8

SHA512
93bfb872098e5fc7be67f7c6c432ad07cf8afbaad4b6c8642b0746c25e70fe29178a1f717839ab282e6cb1942cd2334b849b0e0f21a07ce1ae836de7ca2f2890

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\spoolsv.exe

Filesize
999KB

MD5
2b3fba9224cbcf82f7414bdb4108a150

SHA1
635d95fb9bab5e8064fad1dd0fa6092633931f38

SHA256
30af24055c179294f9ad01cf551c4cce6d901cbaaeaf371e4cc3a7f584e994ba

SHA512
e4a960c6a8d273ef0d8bcf7f9943d17b4d2c4cd7dfe5620afe46d16ec87f1bbf564fa0b298d6e5bff40a350c58913b5e4576c46a8adefa8775895c98400422f8

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe

Filesize
999KB

MD5
5c8c8b73f1afec95e049f74544c7b1f2

SHA1
bd0ee9af30d48c563e113fcd56540d1c7b1f1779

SHA256
88a19f1e9717847968776a90f675837ba3f3a7a8dfc816e9859af1396f8395b3

SHA512
767086b94eb04f95157c8e1c3007d0cc9136c71389091a799b47e73f6d9f684e3b71ea49f7d9957ca88c03c79b3bc7d835853137016a4ae2443eef7588159e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vwDPskygt.bat

Filesize
225B

MD5
2af639a1d7c57256ea7330115bf4e3b2

SHA1
f4f35aa52ef47edcbd93dc1568c4cd458959be28

SHA256
7260033e5df4b7f9e6db2a5660ce902f29b0578c2b7ab6a996aa7459b2cf4b86

SHA512
6412600d757d25e097560bd2da8f2e33f3c182fd4fa86c2692076031ad505519eb8333b1b23ad160d9b04ee9ff0969f731eb9782c362e6890c0c19492353dd10

Download Submit
C:\Users\Default\Idle.exe

Filesize
999KB

MD5
2f2373231d7c6833ef78728857869868

SHA1
f35bd408bf6fb972ce0eaad8a1b221dcc37e4fa8

SHA256
d9288e707a692f7e1d1ca86f47e4542d4bdf42f7a61a01a520d9c092fbade5b0

SHA512
9c8425ee2fe02cc44e764f4716d4b4a32331020841ee8724cf04a3e91aef5993c3d76c8a1ef45469d94dcd2a1e531462a041a60656faeddcdc96345c52af7b59

Download Submit
C:\Users\Public\Pictures\Sample Pictures\explorer.exe

Filesize
999KB

MD5
ea3769887988e324653f883146392839

SHA1
5db8ee0547029374e347188b250e0b961b189e6f

SHA256
d180c782b0ede7f12dac8ee095254064697563a9f8cd4f480c9c39a83c0ab641

SHA512
ab561c02302ea15d1e37bbbc8379f31f060a9884e882c2fef20a2697f202cdaac6b2c45a072a352045e9a6a03b4f80469009e44fe99808d65fa3a2dfd00792d3

Download Submit
memory/2004-216-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/3008-6-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/3008-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/3008-10-0x0000000001FF0000-0x0000000001FFC000-memory.dmp

Filesize
48KB

Download
memory/3008-9-0x0000000001FE0000-0x0000000001FEC000-memory.dmp

Filesize
48KB

Download
memory/3008-25-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/3008-7-0x0000000001F40000-0x0000000001F4C000-memory.dmp

Filesize
48KB

Download
memory/3008-5-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/3008-8-0x0000000001F50000-0x0000000001F5E000-memory.dmp

Filesize
56KB

Download
memory/3008-4-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/3008-3-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/3008-170-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-213-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download