dcrat | 6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6

Analysis

max time kernel
136s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
Size

2.3MB
MD5

2bf6abda97d1e5460b69e1b86bc21fb8
SHA1

712884175ccd13f72ea0f67d7ae293ccbd55ca10
SHA256

6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6
SHA512

dd990825e5ff65b53b828ba5976c5499780d3d94fc4c39260aa3c738d6fd02b97f8ea5585ba7a72a4131e5e38c3fb87b7aeaa4c66702ca77bac6b8fd2a31ffc7
SSDEEP

24576:fsuSTCERnVt1Jv5g17IP7hBjIHkC9j1P+5CT3slE4JpF8Z8xA35E0LQcJsw7AFS:QVX8Hj1gJc6x0dLQcV9OL2i++

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3312	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3312	schtasks.exe	80

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4140-132-0x0000000000990000-0x0000000000BF0000-memory.dmp	net_reactor
behavioral2/files/0x0006000000022e55-190.dat	net_reactor
behavioral2/files/0x0006000000022e55-191.dat	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Executes dropped EXE 1 IoCs

pid	Process
3844	fontdrvhost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
47	ip-api.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\56085415360792	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\wininit.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\0a1fd5f707cd16	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\System.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\ea1d8f6d871115	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files\7-Zip\Lang\System.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\wininit.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\56085415360792	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\INF\9e8d7a4ca61bd9	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\SearchApp.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\38384e6a620884	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\GameBarPresenceWriter\9e8d7a4ca61bd9	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\StartMenuExperienceHost.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\55b276f4edf653	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\servicing\InboxFodMetadataCache\metadata\Idle.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\INF\RuntimeBroker.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\SearchApp.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\StartMenuExperienceHost.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File created	C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
File opened for modification	C:\Windows\INF\RuntimeBroker.exe	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
396	schtasks.exe
3976	schtasks.exe
1984	schtasks.exe
4160	schtasks.exe
4300	schtasks.exe
4800	schtasks.exe
1216	schtasks.exe
4432	schtasks.exe
560	schtasks.exe
3892	schtasks.exe
1148	schtasks.exe
4900	schtasks.exe
1856	schtasks.exe
4756	schtasks.exe
4156	schtasks.exe
2612	schtasks.exe
2884	schtasks.exe
2828	schtasks.exe
2496	schtasks.exe
320	schtasks.exe
4372	schtasks.exe
2360	schtasks.exe
4424	schtasks.exe
1740	schtasks.exe
2604	schtasks.exe
5088	schtasks.exe
3024	schtasks.exe
4780	schtasks.exe
216	schtasks.exe
3364	schtasks.exe
5068	schtasks.exe
2696	schtasks.exe
3828	schtasks.exe
1448	schtasks.exe
2036	schtasks.exe
1500	schtasks.exe
3512	schtasks.exe
2252	schtasks.exe
2932	schtasks.exe
3908	schtasks.exe
2196	schtasks.exe
3748	schtasks.exe
1124	schtasks.exe
3740	schtasks.exe
4136	schtasks.exe
612	schtasks.exe
1864	schtasks.exe
3472	schtasks.exe
1848	schtasks.exe
2204	schtasks.exe
3844	schtasks.exe
4552	schtasks.exe
2336	schtasks.exe
4128	schtasks.exe
3008	schtasks.exe
2032	schtasks.exe
3940	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
4976	powershell.exe
4976	powershell.exe
4896	powershell.exe
4896	powershell.exe
4660	powershell.exe
4660	powershell.exe
332	powershell.exe
332	powershell.exe
3192	powershell.exe
3192	powershell.exe
4024	powershell.exe
4024	powershell.exe
3092	powershell.exe
3092	powershell.exe
3136	powershell.exe
3136	powershell.exe
4688	powershell.exe
4688	powershell.exe
3992	powershell.exe
3992	powershell.exe
3896	powershell.exe
3896	powershell.exe
4548	powershell.exe
4548	powershell.exe
3192	powershell.exe
4976	powershell.exe
3136	powershell.exe
4688	powershell.exe
4024	powershell.exe
4660	powershell.exe
4896	powershell.exe
4896	powershell.exe
332	powershell.exe
3992	powershell.exe
3896	powershell.exe
3092	powershell.exe
4548	powershell.exe
3844	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	3844	fontdrvhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 4976	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	139
PID 4140 wrote to memory of 4976	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	139
PID 4140 wrote to memory of 3192	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	142
PID 4140 wrote to memory of 3192	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	142
PID 4140 wrote to memory of 4896	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	140
PID 4140 wrote to memory of 4896	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	140
PID 4140 wrote to memory of 4660	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	143
PID 4140 wrote to memory of 4660	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	143
PID 4140 wrote to memory of 332	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	145
PID 4140 wrote to memory of 332	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	145
PID 4140 wrote to memory of 4024	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	147
PID 4140 wrote to memory of 4024	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	147
PID 4140 wrote to memory of 3092	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	150
PID 4140 wrote to memory of 3092	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	150
PID 4140 wrote to memory of 3136	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	148
PID 4140 wrote to memory of 3136	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	148
PID 4140 wrote to memory of 4688	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	154
PID 4140 wrote to memory of 4688	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	154
PID 4140 wrote to memory of 4548	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	155
PID 4140 wrote to memory of 4548	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	155
PID 4140 wrote to memory of 3992	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	156
PID 4140 wrote to memory of 3992	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	156
PID 4140 wrote to memory of 3896	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	160
PID 4140 wrote to memory of 3896	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	160
PID 4140 wrote to memory of 3420	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	163
PID 4140 wrote to memory of 3420	4140	6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe	163
PID 3420 wrote to memory of 1128	3420	cmd.exe	165
PID 3420 wrote to memory of 1128	3420	cmd.exe	165
PID 3420 wrote to memory of 3844	3420	cmd.exe	166
PID 3420 wrote to memory of 3844	3420	cmd.exe	166

C:\Users\Admin\AppData\Local\Temp\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe
"C:\Users\Admin\AppData\Local\Temp\6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6fxQS0Wc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1128
- - C:\Recovery\WindowsRE\fontdrvhost.exe
    "C:\Recovery\WindowsRE\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\INF\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
2.3MB

MD5
2bf6abda97d1e5460b69e1b86bc21fb8

SHA1
712884175ccd13f72ea0f67d7ae293ccbd55ca10

SHA256
6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6

SHA512
dd990825e5ff65b53b828ba5976c5499780d3d94fc4c39260aa3c738d6fd02b97f8ea5585ba7a72a4131e5e38c3fb87b7aeaa4c66702ca77bac6b8fd2a31ffc7

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
2.3MB

MD5
2bf6abda97d1e5460b69e1b86bc21fb8

SHA1
712884175ccd13f72ea0f67d7ae293ccbd55ca10

SHA256
6d337ecc9d8dd809330cfdc244fae658d5cc795ce2aad2f2390e2983f5d1fae6

SHA512
dd990825e5ff65b53b828ba5976c5499780d3d94fc4c39260aa3c738d6fd02b97f8ea5585ba7a72a4131e5e38c3fb87b7aeaa4c66702ca77bac6b8fd2a31ffc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6fxQS0Wc.bat

Filesize
202B

MD5
b37a21c6a6f362c51f7f2e503d717cfe

SHA1
6b82811b6c20ad6139211c4ac91a4d0b7e673502

SHA256
d65124676e67d3b0d08700c3dde7938f0e3b27f553436ffb7e750c3af6a70538

SHA512
b66c7d438d786ebc0197105c8dbca33afce8f5188962a9c9078099b123fdcd61bc03a59ca202764b7205b9e33a5fff8e2176783cc210a5c7e27fab9e7be1aa56

Download Submit
memory/332-186-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/332-152-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-185-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-153-0x000001C369100000-0x000001C369122000-memory.dmp

Filesize
136KB

Download
memory/3092-154-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-157-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-178-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-149-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-169-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3844-193-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3844-192-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-172-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-162-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-183-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-158-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-184-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-156-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-159-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-133-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-132-0x0000000000990000-0x0000000000BF0000-memory.dmp

Filesize
2.4MB

Download
memory/4140-134-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-135-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/4548-177-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4548-160-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-181-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-151-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-161-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-182-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-150-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-188-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-173-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-148-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download