dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
102s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d39a7ade0eaa19a185fc11508caeba9.exe
Size

920KB
MD5

0d39a7ade0eaa19a185fc11508caeba9
SHA1

5083d9622465c43bc02a1edd71acd1d9ae75270c
SHA256

51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea
SHA512

480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0
SSDEEP

12288:lANcYfRu9sAPayJk5cz9VBRmWAJXJmn72Rfc/G/BwG5vo5YTJRI1m2h47oJuzlZ4:lAbJwPa3YnGWnSR/uGuFQaRQj/

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Migration\\sysmon.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Migration\\sysmon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\TextInputHost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\", \"C:\\Documents and Settings\\explorer.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\", \"C:\\Documents and Settings\\dllhost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\3D Objects\\System.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4136	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4136	schtasks.exe	87

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	0d39a7ade0eaa19a185fc11508caeba9.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	sysmon.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\smss.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\Migration\\sysmon.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\d9c22b4eaa3c0b9c12c7\\TextInputHost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d39a7ade0eaa19a185fc11508caeba9 = "\"C:\\Recovery\\WindowsRE\\0d39a7ade0eaa19a185fc11508caeba9.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\backgroundTaskHost.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\3D Objects\\System.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\d9c22b4eaa3c0b9c12c7\\spoolsv.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\explorer.exe\""	0d39a7ade0eaa19a185fc11508caeba9.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\unsecapp.exe	0d39a7ade0eaa19a185fc11508caeba9.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe	0d39a7ade0eaa19a185fc11508caeba9.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\7a0fd90576e088	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXB397.tmp	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXB398.tmp	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB5AC.tmp	0d39a7ade0eaa19a185fc11508caeba9.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\29c1c3cc0f7685	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\unsecapp.exe	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB5AD.tmp	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe	0d39a7ade0eaa19a185fc11508caeba9.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\RCXBFC7.tmp	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Windows\Migration\sysmon.exe	0d39a7ade0eaa19a185fc11508caeba9.exe
File created	C:\Windows\SystemResources\RuntimeBroker.exe	0d39a7ade0eaa19a185fc11508caeba9.exe
File created	C:\Windows\Migration\sysmon.exe	0d39a7ade0eaa19a185fc11508caeba9.exe
File created	C:\Windows\Migration\121e5b5079f7c0	0d39a7ade0eaa19a185fc11508caeba9.exe
File opened for modification	C:\Windows\Migration\RCXBFC6.tmp	0d39a7ade0eaa19a185fc11508caeba9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0d39a7ade0eaa19a185fc11508caeba9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1744	schtasks.exe
4488	schtasks.exe
632	schtasks.exe
3272	schtasks.exe
4016	schtasks.exe
2240	schtasks.exe
540	schtasks.exe
1440	schtasks.exe
2456	schtasks.exe
1416	schtasks.exe
1792	schtasks.exe
840	schtasks.exe
3052	schtasks.exe
1204	schtasks.exe
784	schtasks.exe
4868	schtasks.exe
4480	schtasks.exe
4832	schtasks.exe
412	schtasks.exe
1688	schtasks.exe
1576	schtasks.exe
1812	schtasks.exe
2772	schtasks.exe
1884	schtasks.exe
2416	schtasks.exe
3660	schtasks.exe
1760	schtasks.exe
2224	schtasks.exe
4252	schtasks.exe
3984	schtasks.exe
3968	schtasks.exe
4076	schtasks.exe
1536	schtasks.exe
2648	schtasks.exe
4436	schtasks.exe
3920	schtasks.exe
4176	schtasks.exe
4964	schtasks.exe
2336	schtasks.exe
1388	schtasks.exe
4400	schtasks.exe
2088	schtasks.exe
2984	schtasks.exe
4968	schtasks.exe
5092	schtasks.exe
2284	schtasks.exe
5016	schtasks.exe
3976	schtasks.exe
1208	schtasks.exe
3416	schtasks.exe
4824	schtasks.exe
32	schtasks.exe
2280	schtasks.exe
440	schtasks.exe
408	schtasks.exe
3000	schtasks.exe
2292	schtasks.exe
864	schtasks.exe
2300	schtasks.exe
4928	schtasks.exe
2816	schtasks.exe
888	schtasks.exe
1068	schtasks.exe
2144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
3480	0d39a7ade0eaa19a185fc11508caeba9.exe
4924	sysmon.exe
4924	sysmon.exe
4924	sysmon.exe
4924	sysmon.exe
4924	sysmon.exe
4924	sysmon.exe
4924	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	0d39a7ade0eaa19a185fc11508caeba9.exe
Token: SeDebugPrivilege	4924	sysmon.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4924	3480	0d39a7ade0eaa19a185fc11508caeba9.exe	162
PID 3480 wrote to memory of 4924	3480	0d39a7ade0eaa19a185fc11508caeba9.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe
"C:\Users\Admin\AppData\Local\Temp\0d39a7ade0eaa19a185fc11508caeba9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\Migration\sysmon.exe
  "C:\Windows\Migration\sysmon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zGTgbackgroundTaskHost" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft\WinMSIPC\Server\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Y8EObackgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\WinMSIPC\Server\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wIEhbackgroundTaskHost" /sc ONSTART /tr "'C:\ProgramData\Microsoft\WinMSIPC\Server\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Microsoft\WinMSIPC\Server\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HsYhRuntimeBroker" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "s8VyRuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nnz1RuntimeBroker" /sc ONSTART /tr "'C:\ProgramData\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Application Data\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nQeLSystem" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4WcFSystem" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0KoGSystem" /sc ONSTART /tr "'C:\Users\Admin\3D Objects\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zP6hcsrss" /sc MINUTE /mo 6 /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aUdecsrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2bBqcsrss" /sc ONSTART /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8uPCsmss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "pxDEsmss" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4qM7smss" /sc ONSTART /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "M0zrdllhost" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hLgedllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3N5ndllhost" /sc ONSTART /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VJxwdllhost" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "pLySdllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mFb9dllhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QMQrwinlogon" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cIrYwinlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7d3Zwinlogon" /sc ONSTART /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "YJbLspoolsv" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "pi94spoolsv" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WBZnspoolsv" /sc ONSTART /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuTM0d39a7ade0eaa19a185fc11508caeba9" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MURs0d39a7ade0eaa19a185fc11508caeba9" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yUZj0d39a7ade0eaa19a185fc11508caeba9" /sc ONSTART /tr "'C:\Recovery\WindowsRE\0d39a7ade0eaa19a185fc11508caeba9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d39a7ade0eaa19a185fc11508caeba9" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\0d39a7ade0eaa19a185fc11508caeba9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QuCtunsecapp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kF2Munsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TLUpunsecapp" /sc ONSTART /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "KYSEexplorer" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wuRbexplorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Mf9Lexplorer" /sc ONSTART /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4eCdexplorer" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1FcKexplorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ebNHexplorer" /sc ONSTART /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 7 /tr "'C:\Documents and Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tKQJservices" /sc MINUTE /mo 12 /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CtL7services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bva2services" /sc ONSTART /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "rUmyRuntimeBroker" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UVvpRuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "YhRSRuntimeBroker" /sc ONSTART /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JfrGsysmon" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "W1u9sysmon" /sc ONLOGON /tr "'C:\Windows\Migration\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OG5Isysmon" /sc ONSTART /tr "'C:\Windows\Migration\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ZFEfTextInputHost" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zE94TextInputHost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AMtXTextInputHost" /sc ONSTART /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\smss.exe

Filesize
920KB

MD5
0d39a7ade0eaa19a185fc11508caeba9

SHA1
5083d9622465c43bc02a1edd71acd1d9ae75270c

SHA256
51c94ec08bddcec2e7992bb2c758e8518850b373e649ac57c9c26067715bd2ea

SHA512
480bbfb12c3bbde7cff197f069a9aec5558464f417c7920f0dd09e4b1ba859d9e7b7d7f552a7bad094a3ec49069ce442240be5380e2d1ee0de6cec6f514506b0

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
920KB

MD5
bd5c03706a3ea766720b4d9cb8fd71e6

SHA1
78b642d0f8d56328ba54b20ec1c8814c31292881

SHA256
f97cfefe45e89cf165f8eddf643025d474fcd8d6b98d60e31f4fa64c3417d821

SHA512
f20f596344c9635c19f7b25b16d75867d9739cefc50e6b097d13a47fa993c276f309076da97ac0613366404da2bf53210b901f94beb4d86f0df549ecb584d05e

Download Submit
memory/3480-3-0x0000000002960000-0x000000000297C000-memory.dmp

Filesize
112KB

Download
memory/3480-8-0x000000001C210000-0x000000001C738000-memory.dmp

Filesize
5.2MB

Download
memory/3480-0-0x00007FFAFECF3000-0x00007FFAFECF5000-memory.dmp

Filesize
8KB

Download
memory/3480-5-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Filesize
64KB

Download
memory/3480-6-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/3480-7-0x000000001B2C0000-0x000000001B2D2000-memory.dmp

Filesize
72KB

Download
memory/3480-9-0x000000001B340000-0x000000001B34C000-memory.dmp

Filesize
48KB

Download
memory/3480-4-0x000000001B2F0000-0x000000001B340000-memory.dmp

Filesize
320KB

Download
memory/3480-10-0x000000001B4D0000-0x000000001B4DC000-memory.dmp

Filesize
48KB

Download
memory/3480-11-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/3480-2-0x00007FFAFECF0000-0x00007FFAFF7B1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-191-0x00007FFAFECF3000-0x00007FFAFECF5000-memory.dmp

Filesize
8KB

Download
memory/3480-204-0x00007FFAFECF0000-0x00007FFAFF7B1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-1-0x00000000006B0000-0x000000000079C000-memory.dmp

Filesize
944KB

Download
memory/3480-309-0x00007FFAFECF0000-0x00007FFAFF7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-310-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download