dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
120s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Size

999KB
MD5

7c3748401169a78459eb9603ff69e2b2
SHA1

1a5d82422f062f1ce5d6eb3cb41c56d066f7981f
SHA256

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d
SHA512

ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12
SSDEEP

12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\", \"C:\\Windows\\security\\templates\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\", \"C:\\Windows\\security\\templates\\dwm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\audiodg.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\", \"C:\\Windows\\security\\templates\\dwm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\Presentation Designs\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\", \"C:\\Windows\\security\\templates\\dwm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\Presentation Designs\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\", \"C:\\Windows\\security\\templates\\dwm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\Presentation Designs\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\", \"C:\\Windows\\SoftwareDistribution\\dllhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\ProgramData\\Desktop\\Idle.exe\", \"C:\\Windows\\security\\templates\\dwm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\Presentation Designs\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\", \"C:\\Windows\\SoftwareDistribution\\dllhost.exe\", \"C:\\Windows\\it-IT\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Public\\Downloads\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Process spawned unexpected child process 56 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1832	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2496	Idle.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Documents\\My Videos\\services.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\Downloads\\lsm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\audiodg.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SoftwareDistribution\\dllhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d = "\"C:\\Windows\\it-IT\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Desktop\\Idle.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\security\\templates\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\Presentation Designs\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\6cb0b6c459d5d3	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB0ED.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB07F.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCXB35E.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\42af1c969fbb7b	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCX9EA4.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\9f171e4e11a5db	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCX9F12.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCXB35F.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\5940a34987c991	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\it-IT\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\security\templates\RCXAE7A.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\security\templates\dwm.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\SoftwareDistribution\RCXB842.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\it-IT\RCXBAB5.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\security\templates\RCXAE7B.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\SoftwareDistribution\RCXB8B0.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\it-IT\RCXBAB4.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\it-IT\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\security\templates\dwm.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\SoftwareDistribution\dllhost.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\it-IT\9f171e4e11a5db	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\SoftwareDistribution\dllhost.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\security\templates\6cb0b6c459d5d3	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 56 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
2852	schtasks.exe
2104	schtasks.exe
2500	schtasks.exe
1080	schtasks.exe
2064	schtasks.exe
1524	schtasks.exe
1528	schtasks.exe
2608	schtasks.exe
2680	schtasks.exe
2436	schtasks.exe
1652	schtasks.exe
3008	schtasks.exe
2856	schtasks.exe
2888	schtasks.exe
2736	schtasks.exe
2664	schtasks.exe
2936	schtasks.exe
1828	schtasks.exe
1124	schtasks.exe
2424	schtasks.exe
2296	schtasks.exe
1944	schtasks.exe
1996	schtasks.exe
2460	schtasks.exe
1680	schtasks.exe
2036	schtasks.exe
2636	schtasks.exe
2420	schtasks.exe
2716	schtasks.exe
1580	schtasks.exe
2128	schtasks.exe
2308	schtasks.exe
2528	schtasks.exe
1600	schtasks.exe
1032	schtasks.exe
1860	schtasks.exe
2744	schtasks.exe
828	schtasks.exe
2804	schtasks.exe
1740	schtasks.exe
1704	schtasks.exe
1632	schtasks.exe
528	schtasks.exe
1664	schtasks.exe
2908	schtasks.exe
2356	schtasks.exe
236	schtasks.exe
768	schtasks.exe
1760	schtasks.exe
1264	schtasks.exe
2988	schtasks.exe
1700	schtasks.exe
2980	schtasks.exe
3028	schtasks.exe
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Token: SeDebugPrivilege	2496	Idle.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2496	2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	89
PID 2364 wrote to memory of 2496	2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	89
PID 2364 wrote to memory of 2496	2364	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
"C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\ProgramData\Desktop\Idle.exe
  "C:\ProgramData\Desktop\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\Users\Admin\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\My Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Users\Public\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1dd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\ProgramData\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 13 /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Windows\security\templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1dd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONLOGON /tr "'C:\Windows\it-IT\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONSTART /tr "'C:\Windows\it-IT\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1dd" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Filesize
999KB

MD5
3713fcbae80345696be0e3d952ff7abe

SHA1
b1538cb20992dc5406a388b2e973edf2dfaed87f

SHA256
78ae2a3da5d4c3263917ee741ee08a693372d41780982243f42a35bf4f2f7d81

SHA512
cdba257cab5937ac4bbf439d4aaca063caa8cecf91c0fa559091c4cf3d327e2cafa73a81fc2026445fe0499f41ccfe56299e57f262b4b61079bbd7ef30fe76bb

Download Submit
C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe

Filesize
999KB

MD5
c67d42c47aa10bcd748a163d22ff2bc2

SHA1
0e93e479d80915889eba8ceb0b573f41346084bf

SHA256
143a0e04fd956613e3d960f298534d7e5f8db5bf013adc3f4143a2e9d49477d5

SHA512
8b7ba11bfb2f2c691b2f7c814a32c27a6eb523f16aabea1f22c588021fcbe6e71606cae0b2a48070fc0e12ac5ea20daa9429b1d640b6f3573be11205c9fd0423

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe

Filesize
999KB

MD5
7c3748401169a78459eb9603ff69e2b2

SHA1
1a5d82422f062f1ce5d6eb3cb41c56d066f7981f

SHA256
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d

SHA512
ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe

Filesize
999KB

MD5
103969e87f1bc938270366c984d76c3f

SHA1
236078a6396732721fd2641949b8513ab677825f

SHA256
b6eafd36ecf8e25aade36dd970193081dc5c64330c8ee319ac99e67cce4b8f49

SHA512
e24adcf8865635105925e22e83b4a96d91332f8ebf603d3875de0a779ee697f7c2a93bf20b290fcbf96f44b8818225964e6aa12e9f79a0c85035301b123004af

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe

Filesize
999KB

MD5
5327381ec93d0d99e08f571fb1a9cf6a

SHA1
e0cf1ce7156a37bdc5bc039c46ac5e78e26a90ac

SHA256
c1a0ec076a436370e6141650b926603c7c2c5a887aa8d3efd1786d159286016c

SHA512
ffe954256fa9764878e622f913a586e21ad3d87764ef657b854da4ed4ab569b7f81e7176eb6a733e1fb477679d036f1749864e4f5a79700d06876c90271be1c7

Download Submit
C:\Users\Public\Desktop\Idle.exe

Filesize
999KB

MD5
9a3796863099462531a335cbd09ad9de

SHA1
e447c93452b6f9d2228c7ad5587789cddef9996f

SHA256
42010582abdd6eb0ed94295a31a450a9a37b2291115ac6bafe884573c552d79e

SHA512
5bc813473e47fa1639b4c75c680ae23d4b8e3845008a3cf26374b131476da035f5fe3648258ed48ea12ed12059734e01e0bdbafb236dcc0ee969d7c11c5384c4

Download Submit
C:\Windows\SoftwareDistribution\dllhost.exe

Filesize
999KB

MD5
8cfc0d9414865c42f76738fbb58b4b49

SHA1
f9365d9b847b5a1652a556e984125a340b09d3f1

SHA256
c344399d84790329485eb53af874c6976e0f8e05daa104b06e3f7090c2c7c234

SHA512
3356f7e0d657cd0c3ad1811b781dfbeb2e2ce2098a5da8c2aff6a310b226bb2c775b486883c24bc58a50a578c5d3cba29fed2bab8516d8ae1b8efbda7849ccff

Download Submit
memory/2364-5-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2364-4-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2364-8-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2364-10-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2364-7-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2364-6-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2364-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2364-9-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2364-3-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2364-2-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-179-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2364-203-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-212-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-211-0x0000000000E80000-0x0000000000F80000-memory.dmp

Filesize
1024KB

Download