dcrat | 5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0fdb67b7034d43be60f80a2ba12bb2e.exe
Size

1.8MB
MD5

b0fdb67b7034d43be60f80a2ba12bb2e
SHA1

1d1c2ad7442809558ac1213013a4e475381f32c0
SHA256

5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3
SHA512

c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62
SSDEEP

24576:NzdI/9AP+8KrCL3EZ3xHEv/fpeE7mV8dseWXaPDrwa0uporxWgLiP6S+ig5mG+GJ:raKU5xHEv/fgd8OwQuIGJ

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	5096	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4300-146-0x0000000000400000-0x0000000000554000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts b0fdb67b7034d43be60f80a2ba12bb2e.exe
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

3600 services.exe
1164 services.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b0fdb67b7034d43be60f80a2ba12bb2e.exe

pid	process
3600	services.exe
1164	services.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exeb0fdb67b7034d43be60f80a2ba12bb2e.exeservices.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b0fdb67b7034d43be60f80a2ba12bb2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b0fdb67b7034d43be60f80a2ba12bb2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromium.exe\""	b0fdb67b7034d43be60f80a2ba12bb2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromium.exe\""	services.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 ipinfo.io
45 ipinfo.io

flow	ioc
44	ipinfo.io
45	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exeservices.exe

description	pid	process	target process
PID 4816 set thread context of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 3600 set thread context of 1164	3600	services.exe	services.exe

Drops file in Program Files directory 16 IoCs

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\MSBuild\Microsoft\5b884080fd4f94	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\0a1fd5f707cd16	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\e1ef82546f0b02	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Common Files\7a0fd90576e088	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\Microsoft Office 15\System.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Internet Explorer\images\csrss.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Internet Explorer\images\886983d96e3d3e	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files (x86)\Common Files\explorer.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Program Files\Microsoft Office 15\27d1bcfc3c54e0	b0fdb67b7034d43be60f80a2ba12bb2e.exe

Drops file in Windows directory 2 IoCs

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exe

description	ioc	process
File created	C:\Windows\schemas\Provisioning\WmiPrvSE.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
File created	C:\Windows\schemas\Provisioning\24dbde2999530e	b0fdb67b7034d43be60f80a2ba12bb2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	services.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3352	schtasks.exe
3552	schtasks.exe
5100	schtasks.exe
1164	schtasks.exe
2116	schtasks.exe
2500	schtasks.exe
4424	schtasks.exe
1544	schtasks.exe
3296	schtasks.exe
1696	schtasks.exe
4752	schtasks.exe
4948	schtasks.exe
4168	schtasks.exe
3916	schtasks.exe
2136	schtasks.exe
3012	schtasks.exe
4212	schtasks.exe
3332	schtasks.exe
932	schtasks.exe
4372	schtasks.exe
2160	schtasks.exe
5036	schtasks.exe
1708	schtasks.exe
3192	schtasks.exe
4256	schtasks.exe
3648	schtasks.exe
448	schtasks.exe
2404	schtasks.exe
3388	schtasks.exe
3740	schtasks.exe
4116	schtasks.exe
2120	schtasks.exe
3976	schtasks.exe
3984	schtasks.exe
3372	schtasks.exe
752	schtasks.exe
2964	schtasks.exe
3344	schtasks.exe
4940	schtasks.exe
3888	schtasks.exe
1712	schtasks.exe
5028	schtasks.exe
804	schtasks.exe
1332	schtasks.exe
3384	schtasks.exe
3864	schtasks.exe
4100	schtasks.exe
3496	schtasks.exe

Modifies registry class 2 IoCs

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exeservices.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	b0fdb67b7034d43be60f80a2ba12bb2e.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeb0fdb67b7034d43be60f80a2ba12bb2e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exe

pid	process
3448	powershell.exe
3448	powershell.exe
4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe
4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe
4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe
3964	powershell.exe
3964	powershell.exe
808	powershell.exe
808	powershell.exe
1372	powershell.exe
1372	powershell.exe
376	powershell.exe
376	powershell.exe
648	powershell.exe
648	powershell.exe
4908	powershell.exe
4908	powershell.exe
2596	powershell.exe
2596	powershell.exe
4976	powershell.exe
4976	powershell.exe
4924	powershell.exe
4924	powershell.exe
1664	powershell.exe
1664	powershell.exe
3560	powershell.exe
3560	powershell.exe
4324	powershell.exe
4324	powershell.exe
3964	powershell.exe
3964	powershell.exe
1372	powershell.exe
808	powershell.exe
808	powershell.exe
376	powershell.exe
2596	powershell.exe
648	powershell.exe
4908	powershell.exe
4976	powershell.exe
4924	powershell.exe
1664	powershell.exe
4324	powershell.exe
3560	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe
1164	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

1164 services.exe

pid	process
1164	services.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exeb0fdb67b7034d43be60f80a2ba12bb2e.exeb0fdb67b7034d43be60f80a2ba12bb2e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe
Token: SeDebugPrivilege	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	3600	services.exe
Token: SeDebugPrivilege	1164	services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

1164 services.exe

pid	process
1164	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b0fdb67b7034d43be60f80a2ba12bb2e.exeb0fdb67b7034d43be60f80a2ba12bb2e.execmd.exew32tm.exeservices.exe

description	pid	process	target process
PID 4816 wrote to memory of 3448	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4816 wrote to memory of 3448	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4816 wrote to memory of 3448	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4816 wrote to memory of 4300	4816	b0fdb67b7034d43be60f80a2ba12bb2e.exe	b0fdb67b7034d43be60f80a2ba12bb2e.exe
PID 4300 wrote to memory of 3964	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 3964	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 3964	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 808	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 808	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 808	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 1372	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 1372	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 1372	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 376	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 376	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 376	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 648	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 648	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 648	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4908	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4908	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4908	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 2596	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 2596	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 2596	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4976	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4976	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4976	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4924	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4924	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4924	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 1664	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 1664	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 1664	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4324	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4324	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 4324	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 3560	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 3560	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 3560	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	powershell.exe
PID 4300 wrote to memory of 3496	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	cmd.exe
PID 4300 wrote to memory of 3496	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	cmd.exe
PID 4300 wrote to memory of 3496	4300	b0fdb67b7034d43be60f80a2ba12bb2e.exe	cmd.exe
PID 3496 wrote to memory of 1660	3496	cmd.exe	w32tm.exe
PID 3496 wrote to memory of 1660	3496	cmd.exe	w32tm.exe
PID 3496 wrote to memory of 1660	3496	cmd.exe	w32tm.exe
PID 1660 wrote to memory of 4228	1660	w32tm.exe	w32tm.exe
PID 1660 wrote to memory of 4228	1660	w32tm.exe	w32tm.exe
PID 3496 wrote to memory of 3600	3496	cmd.exe	services.exe
PID 3496 wrote to memory of 3600	3496	cmd.exe	services.exe
PID 3496 wrote to memory of 3600	3496	cmd.exe	services.exe
PID 3600 wrote to memory of 4604	3600	services.exe	powershell.exe
PID 3600 wrote to memory of 4604	3600	services.exe	powershell.exe
PID 3600 wrote to memory of 4604	3600	services.exe	powershell.exe
PID 3600 wrote to memory of 1164	3600	services.exe	services.exe
PID 3600 wrote to memory of 1164	3600	services.exe	services.exe
PID 3600 wrote to memory of 1164	3600	services.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\b0fdb67b7034d43be60f80a2ba12bb2e.exe
"C:\Users\Admin\AppData\Local\Temp\b0fdb67b7034d43be60f80a2ba12bb2e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Users\Admin\AppData\Local\Temp\b0fdb67b7034d43be60f80a2ba12bb2e.exe
C:\Users\Admin\AppData\Local\Temp\b0fdb67b7034d43be60f80a2ba12bb2e.exe
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1TNxy0Wrkm.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:4228

C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe
"C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA1AA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe
"C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56455ef1-49b2-4c4a-9d8e-77205d333668.vbs"
6⤵
PID:3440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509adb33-2855-41db-a3d9-cc8e33f39822.vbs"
6⤵
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0fdb67b7034d43be60f80a2ba12bb2eb" /sc MINUTE /mo 13 /tr "'C:\odt\b0fdb67b7034d43be60f80a2ba12bb2e.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0fdb67b7034d43be60f80a2ba12bb2e" /sc ONLOGON /tr "'C:\odt\b0fdb67b7034d43be60f80a2ba12bb2e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0fdb67b7034d43be60f80a2ba12bb2eb" /sc MINUTE /mo 13 /tr "'C:\odt\b0fdb67b7034d43be60f80a2ba12bb2e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0fdb67b7034d43be60f80a2ba12bb2eb" /sc MINUTE /mo 11 /tr "'C:\odt\b0fdb67b7034d43be60f80a2ba12bb2e.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0fdb67b7034d43be60f80a2ba12bb2e" /sc ONLOGON /tr "'C:\odt\b0fdb67b7034d43be60f80a2ba12bb2e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0fdb67b7034d43be60f80a2ba12bb2eb" /sc MINUTE /mo 6 /tr "'C:\odt\b0fdb67b7034d43be60f80a2ba12bb2e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe

Filesize
1.8MB

MD5
b0fdb67b7034d43be60f80a2ba12bb2e

SHA1
1d1c2ad7442809558ac1213013a4e475381f32c0

SHA256
5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

SHA512
c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe

Filesize
1.8MB

MD5
b0fdb67b7034d43be60f80a2ba12bb2e

SHA1
1d1c2ad7442809558ac1213013a4e475381f32c0

SHA256
5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

SHA512
c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe

Filesize
1.8MB

MD5
b0fdb67b7034d43be60f80a2ba12bb2e

SHA1
1d1c2ad7442809558ac1213013a4e475381f32c0

SHA256
5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

SHA512
c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b0fdb67b7034d43be60f80a2ba12bb2e.exe.log

Filesize
1KB

MD5
4f3fab3e5f44399e7f4162fd367eca2d

SHA1
adada0591db5f53bcc0565942047156de3464e6e

SHA256
5db52f2a6a0fbfaa29e27418a1b72b660298dfa58a12ac0f12897a06e557caef

SHA512
d8c3fe3a91e572627e31a44d88a71fc3072786b074d04484ff6aacfeab43e0d29ec88bf6ad2af2a5f8e70f0c0eea95dcea59a8159adf4c642e5f8fd5fc632db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6bbf36ab886fe3c0e2f285ba4ad3ebc2

SHA1
7b967e5e28fd4166c2ea666ce8114331ca3b4501

SHA256
a35fca3fc80057671fb9badd6151dbda251ea3c8e1702ecf097dafe4fda92818

SHA512
816f57181e42765788f95b7f8f7e81c90972921e60329588e3290a2f5746aafaec5fd0b84e2f4790d3d94e75f0561c4151ccdbf7b5baed99d4e34c46f28b1b6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4040ce535a1f40a48e2e70d12fde655d

SHA1
d97f9187b7d8f4454e1412ecd25e6d2cccb9099a

SHA256
d40b8ed221d65878522d0bf7e49edce0f191942cbccf9688d3057c5367de0d53

SHA512
2fee814d5bf0d8c0f2efeb1c1e2936bd91b29f6340030f326cfaf22201451c302d7765ebbc37903e3186aa26a11bf3aa1bb678ecb11b93f98c7d5217753d691e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1004B

MD5
3862725ffc4b0b90ef39411cd99e527c

SHA1
1ac24d2139f690cc02406e446e6de7528d3428fb

SHA256
fd32f7490f2a56575f0d69d1e0f202233e99b5f65183d9dedb048de8c67cbe42

SHA512
78fc27deb89594d50a32cbe6d86ebb00b2a741ecafeb4a3604887323d1c70232e7a24571d7cebd285ceb90f7e292b68885470e5ada3a1701f9da8bf56fe60b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4040ce535a1f40a48e2e70d12fde655d

SHA1
d97f9187b7d8f4454e1412ecd25e6d2cccb9099a

SHA256
d40b8ed221d65878522d0bf7e49edce0f191942cbccf9688d3057c5367de0d53

SHA512
2fee814d5bf0d8c0f2efeb1c1e2936bd91b29f6340030f326cfaf22201451c302d7765ebbc37903e3186aa26a11bf3aa1bb678ecb11b93f98c7d5217753d691e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92e508ec16bbf70cf23cf8b1cd6043b4

SHA1
ab3c0948ab1858d57d7be521953351ac1f086a96

SHA256
928656dcbbc80bb8afa1265505695953879d9d62e9d5f8532297523c40199984

SHA512
e6a6af514a59b6f88f252771e813df099d08d19a5181fc7cda56abd59bbf22119957aa93d8fce47ee7499194bf5df163714c5477052fbe3393cd288965515deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
000f4632fc55950d1761d3de1ef6b38f

SHA1
b95d0f382c43646ffb59596b3fa6d45ba0f14486

SHA256
86566828b75fad9b43095cc65bf7befea850193f88dbbce2508aa3ac6fa0a54e

SHA512
eb1572b0963bfeeda65c56c7baf49e37e64b1a3e13447ef06373cf933461beade8f7f2f7f2fcbc18c60a0a25071386c7c0c16a556ba527528677cf3f2eeeacbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92e508ec16bbf70cf23cf8b1cd6043b4

SHA1
ab3c0948ab1858d57d7be521953351ac1f086a96

SHA256
928656dcbbc80bb8afa1265505695953879d9d62e9d5f8532297523c40199984

SHA512
e6a6af514a59b6f88f252771e813df099d08d19a5181fc7cda56abd59bbf22119957aa93d8fce47ee7499194bf5df163714c5477052fbe3393cd288965515deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
000f4632fc55950d1761d3de1ef6b38f

SHA1
b95d0f382c43646ffb59596b3fa6d45ba0f14486

SHA256
86566828b75fad9b43095cc65bf7befea850193f88dbbce2508aa3ac6fa0a54e

SHA512
eb1572b0963bfeeda65c56c7baf49e37e64b1a3e13447ef06373cf933461beade8f7f2f7f2fcbc18c60a0a25071386c7c0c16a556ba527528677cf3f2eeeacbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
593778ede711203db3c96e507badd743

SHA1
b1b4831c6f9218875acd6a261d5c4298f34d2d92

SHA256
31cad111cd2a1088894383ae6a667c0c7707fe3fc77dc6c0c5abcbbb6589e1d6

SHA512
9f9585172ac3e6ea7e00fee73576becdfb4a34ea2b552ae9a2971364add50052d520c9c20fc8f887cc34aa7af84646a0483d633494c244af4f91c6405d875abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
aacc78dbdef3115aba246834235fdc80

SHA1
bd6e6b702ce35389f136dcf719b36ae11fe7d91f

SHA256
f996a69f072692400751338ebf957c6dbdc826ccee8637c3db99907f5fcdb4f9

SHA512
ea1edb9eaee1f24da9a096b2dc6495874dd6baac2f9f687f161d4e5b9aa244eaeb89df4582f35a75c5c1d8434c8fedffa85f4f4ca27b7262cbd65335316d3ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1TNxy0Wrkm.bat

Filesize
225B

MD5
55f3139e616a7cccff8c6813675a7a07

SHA1
0738e0474b12ac0c13c4c84d1b6a8be6ee669b18

SHA256
d51cdc6b297a39cf692193c2769eaebbf13c37448f6d62079fc437d294c208e6

SHA512
971be9c1116b78dd4906ccd6a939b7b1bdcd34b9a3c4b7e65736495a9509bf59e09028d501f4861c17bf993f4dba08ab1571efa983c3357a1405faa8e1a609f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\509adb33-2855-41db-a3d9-cc8e33f39822.vbs

Filesize
512B

MD5
b5ed5daedccf00b9a120c1b3db088cb5

SHA1
8e99db083077625d77013fe2955ce18e73638599

SHA256
6a0e366809917f2dc6a400a64f8379a490c1a68de5bea394842a5e41caecb2cc

SHA512
4db2da512b3fd3dbba86f164c296e071ce29697ad11c72755ff2ade0125e6e6b12a61f7c17980bedf714f09a65fb467f45b049f9cd612d2829992386a8bfa9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\56455ef1-49b2-4c4a-9d8e-77205d333668.vbs

Filesize
736B

MD5
0ba9e41a6032bd2fa63e5104258df68a

SHA1
2990d1710b8f98dce7a6ac288caa5f59780b2ccb

SHA256
099f335042510722d5e5860a4b1c858ab6711bdfacd7f4835a90d54e06a9162b

SHA512
a4c5e57d5f1db440887251c72a2fcf3e777c5063e375761ca76c7b7102dfa01a9e290ee32cb438822e6c809779a2fa10e1db4052add794f02d6c708fcc5ec893

Download Submit
C:\Users\Admin\AppData\Roaming\chromium.exe

Filesize
1.8MB

MD5
b0fdb67b7034d43be60f80a2ba12bb2e

SHA1
1d1c2ad7442809558ac1213013a4e475381f32c0

SHA256
5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3

SHA512
c63f955cfe434ea18b25a2d7d519acb8635b0c299b81dde939a51ef2cc18ebf3502083e4b0cd8ea7362f3726b00ef67ee8d6ab2a48908b1a2b82085a2ccd7c62

Download Submit
memory/376-153-0x0000000000000000-mapping.dmp

Download
memory/376-189-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/376-190-0x0000000007A50000-0x0000000007A58000-memory.dmp

Filesize
32KB

Download
memory/376-174-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/648-154-0x0000000000000000-mapping.dmp

Download
memory/648-177-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/808-183-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/808-172-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/808-188-0x00000000060E0000-0x00000000060EE000-memory.dmp

Filesize
56KB

Download
memory/808-151-0x0000000000000000-mapping.dmp

Download
memory/1164-202-0x0000000000000000-mapping.dmp

Download
memory/1164-209-0x000000000A800000-0x000000000A9C2000-memory.dmp

Filesize
1.8MB

Download
memory/1372-152-0x0000000000000000-mapping.dmp

Download
memory/1372-173-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/1660-166-0x0000000000000000-mapping.dmp

Download
memory/1664-160-0x0000000000000000-mapping.dmp

Download
memory/1664-182-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/1696-206-0x0000000000000000-mapping.dmp

Download
memory/2596-156-0x0000000000000000-mapping.dmp

Download
memory/2596-175-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/3440-205-0x0000000000000000-mapping.dmp

Download
memory/3448-142-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/3448-138-0x0000000005190000-0x00000000051C6000-memory.dmp

Filesize
216KB

Download
memory/3448-137-0x0000000000000000-mapping.dmp

Download
memory/3448-144-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

Filesize
104KB

Download
memory/3448-139-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/3448-143-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download
memory/3448-140-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/3448-141-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/3496-163-0x0000000000000000-mapping.dmp

Download
memory/3560-162-0x0000000000000000-mapping.dmp

Download
memory/3560-184-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/3600-185-0x0000000000000000-mapping.dmp

Download
memory/3964-179-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/3964-171-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/3964-170-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/3964-169-0x0000000007430000-0x0000000007462000-memory.dmp

Filesize
200KB

Download
memory/3964-150-0x0000000000000000-mapping.dmp

Download
memory/4228-167-0x0000000000000000-mapping.dmp

Download
memory/4300-148-0x0000000005930000-0x0000000005980000-memory.dmp

Filesize
320KB

Download
memory/4300-146-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4300-145-0x0000000000000000-mapping.dmp

Download
memory/4300-149-0x00000000069C0000-0x0000000006EEC000-memory.dmp

Filesize
5.2MB

Download
memory/4324-181-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/4324-161-0x0000000000000000-mapping.dmp

Download
memory/4604-191-0x0000000000000000-mapping.dmp

Download
memory/4816-136-0x00000000066D0000-0x00000000066F2000-memory.dmp

Filesize
136KB

Download
memory/4816-132-0x0000000000BD0000-0x0000000000DA8000-memory.dmp

Filesize
1.8MB

Download
memory/4816-135-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/4816-134-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/4816-133-0x0000000005CF0000-0x0000000006294000-memory.dmp

Filesize
5.6MB

Download
memory/4908-176-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/4908-155-0x0000000000000000-mapping.dmp

Download
memory/4924-159-0x0000000000000000-mapping.dmp

Download
memory/4924-180-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/4976-158-0x0000000000000000-mapping.dmp

Download
memory/4976-178-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download