dcrat | 85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
Size

1.7MB
MD5

f110d8cce9bfb48c7360203fa38d21c7
SHA1

b25dc35fe3741b5c6cf8286d65067920fb89823b
SHA256

85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87
SHA512

506cd39bc1cbcc9550cc726bc237a25c463512eec8c59f3b5990f207694f17dabd84e650676377c0b456f85ea61064fc0c55029390e82e0fece594982a223ad0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3592	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	3592	schtasks.exe	84

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1508-0-0x00000000003D0000-0x0000000000586000-memory.dmp	dcrat
behavioral2/files/0x0006000000023225-31.dat	dcrat
behavioral2/files/0x0010000000023262-242.dat	dcrat
behavioral2/files/0x000600000002322a-462.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	fontdrvhost.exe
3468	fontdrvhost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\Boot\Registry.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXA125.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXAF79.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\unsecapp.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\29c1c3cc0f7685	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Adobe\lsass.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCX9157.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\e1ef82546f0b02	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\dotnet\host\66fc9ff0ee96c2	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Adobe\6203df4a6bafc7	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\dotnet\host\sihost.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCXA349.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCXA369.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCX8F43.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\unsecapp.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\dotnet\host\RCXA89D.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXB6A3.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\wininit.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\Windows Media Player\Skins\SppExtComObj.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SppExtComObj.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Microsoft.NET\56085415360792	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\dotnet\host\RCXA82F.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXAEEC.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\Windows Media Player\Skins\e1ef82546f0b02	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\Microsoft Office\Office16\69ddcba757bf72	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SppExtComObj.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\SppExtComObj.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files\Microsoft Office\Office16\smss.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Adobe\lsass.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Program Files (x86)\Microsoft.NET\wininit.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCX8F22.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\dotnet\host\sihost.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXB6D2.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCX9168.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXA115.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\smss.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Media\22eafd247d37c3	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Windows\Media\RCXB1BD.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Windows\Media\RCXB1DD.tmp	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File opened for modification	C:\Windows\Media\TextInputHost.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\Registry.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\r\RuntimeBroker.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
File created	C:\Windows\Media\TextInputHost.exe	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2408	schtasks.exe
1584	schtasks.exe
4444	schtasks.exe
1636	schtasks.exe
2756	schtasks.exe
3640	schtasks.exe
4828	schtasks.exe
2280	schtasks.exe
4400	schtasks.exe
4684	schtasks.exe
3596	schtasks.exe
2476	schtasks.exe
3956	schtasks.exe
4188	schtasks.exe
432	schtasks.exe
5080	schtasks.exe
1284	schtasks.exe
4080	schtasks.exe
2888	schtasks.exe
2104	schtasks.exe
3736	schtasks.exe
3708	schtasks.exe
2868	schtasks.exe
4164	schtasks.exe
1972	schtasks.exe
2508	schtasks.exe
2980	schtasks.exe
1340	schtasks.exe
2668	schtasks.exe
4308	schtasks.exe
1904	schtasks.exe
3184	schtasks.exe
3872	schtasks.exe
2240	schtasks.exe
468	schtasks.exe
1184	schtasks.exe
1068	schtasks.exe
4172	schtasks.exe
3772	schtasks.exe
4956	schtasks.exe
4276	schtasks.exe
2788	schtasks.exe
3432	schtasks.exe
3220	schtasks.exe
3044	schtasks.exe
676	schtasks.exe
3644	schtasks.exe
2144	schtasks.exe
1592	schtasks.exe
2740	schtasks.exe
3976	schtasks.exe
1976	schtasks.exe
2632	schtasks.exe
4792	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	1988	fontdrvhost.exe
Token: SeDebugPrivilege	3468	fontdrvhost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 5040	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	145
PID 1508 wrote to memory of 5040	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	145
PID 1508 wrote to memory of 4928	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	146
PID 1508 wrote to memory of 4928	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	146
PID 1508 wrote to memory of 4028	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	147
PID 1508 wrote to memory of 4028	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	147
PID 1508 wrote to memory of 4236	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	148
PID 1508 wrote to memory of 4236	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	148
PID 1508 wrote to memory of 2964	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	149
PID 1508 wrote to memory of 2964	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	149
PID 1508 wrote to memory of 3196	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	168
PID 1508 wrote to memory of 3196	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	168
PID 1508 wrote to memory of 3308	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	167
PID 1508 wrote to memory of 3308	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	167
PID 1508 wrote to memory of 1552	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	166
PID 1508 wrote to memory of 1552	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	166
PID 1508 wrote to memory of 4032	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	165
PID 1508 wrote to memory of 4032	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	165
PID 1508 wrote to memory of 1884	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	164
PID 1508 wrote to memory of 1884	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	164
PID 1508 wrote to memory of 4372	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	163
PID 1508 wrote to memory of 4372	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	163
PID 1508 wrote to memory of 3848	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	150
PID 1508 wrote to memory of 3848	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	150
PID 1508 wrote to memory of 1988	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	169
PID 1508 wrote to memory of 1988	1508	85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe	169
PID 1988 wrote to memory of 3796	1988	fontdrvhost.exe	170
PID 1988 wrote to memory of 3796	1988	fontdrvhost.exe	170
PID 1988 wrote to memory of 1548	1988	fontdrvhost.exe	171
PID 1988 wrote to memory of 1548	1988	fontdrvhost.exe	171
PID 3796 wrote to memory of 3468	3796	WScript.exe	176
PID 3796 wrote to memory of 3468	3796	WScript.exe	176

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe
"C:\Users\Admin\AppData\Local\Temp\85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\odt\fontdrvhost.exe
  "C:\odt\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87008384-5841-4cc0-901d-5029d9e6e11f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\odt\fontdrvhost.exe
      C:\odt\fontdrvhost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a49f492-8f30-4e44-bc80-bd1d48717f57.vbs"
    3⤵
    PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Skins\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Skins\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\host\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Media\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Links\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\lsass.exe

Filesize
1.7MB

MD5
854eb067961671213d525f348eb623ad

SHA1
c3d733f78094356b80abb319c4e3afd5b5f964e7

SHA256
5f0106924c73ea2388ae9f46c11b25628a54a1a91a0382aac67e742bc7132f3a

SHA512
210b73d545688eec08fa095080f67a242e809dac4ef08510d197777d5fd0f737e074ffa8ea480282ed5c7cdbe80b6c90f8fccc42e3e336a62284f994f221200e

Download Submit
C:\Recovery\WindowsRE\upfc.exe

Filesize
1.7MB

MD5
f110d8cce9bfb48c7360203fa38d21c7

SHA1
b25dc35fe3741b5c6cf8286d65067920fb89823b

SHA256
85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87

SHA512
506cd39bc1cbcc9550cc726bc237a25c463512eec8c59f3b5990f207694f17dabd84e650676377c0b456f85ea61064fc0c55029390e82e0fece594982a223ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a49f492-8f30-4e44-bc80-bd1d48717f57.vbs

Filesize
474B

MD5
d4ea3e3aa6dffb9e9bc2e9eacfa56608

SHA1
562b5d50972a979d2049bf187d644d10f69fc8ad

SHA256
0465e2d77b1d6e4c44e80dd7d0ff5647fbd91fece2dd115edf28f62bbb1ad371

SHA512
b2b8c9c63963975beac4b04afd368dd8dbc74b9de1dfc5648537390243898f4ebded482782e5cb7744b8b4a2fb623a1b4b1e2fbc71b375106ab184466d77f85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\87008384-5841-4cc0-901d-5029d9e6e11f.vbs

Filesize
698B

MD5
a5b2a28e297271d89c5b00a437e6cab5

SHA1
f7871d7646f57935cba2d6620f7c5bf0fa322cd0

SHA256
ffc55ec5e39d4ac64d32a3a3b07786c383d656f73b88bfe758b70181907a5a09

SHA512
1d6ef8766ef562ae5f4cf9df4e6ef14530effdb9b8af6b4dd7413a48b0fa25f6c571cd35fafb6fa2770fd2d76c2034d49a8cd537afee79e42b1c3d828a5eb487

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvr3cf2p.wjk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.4MB

MD5
8794c89310dd49b914445a94f1e3cef2

SHA1
4cefec85c10bbf23b2c374fe0d1f56e34ed87603

SHA256
f7478d8b4e7395a3650911dec02d4013cd6d352d1b7e4cf43e990c3f75768345

SHA512
711201dbec246b0da92a5c1c6a9f4e3c48a648b13faa6da88f0f534d159e1355898df148f53cc2e03394f771d998b1397bba0cbb47403bbf4855da9edcacbb07

Download Submit
memory/1508-1-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/1508-2-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-10-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/1508-13-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/1508-11-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/1508-14-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

Filesize
48KB

Download
memory/1508-15-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-17-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/1508-18-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/1508-16-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-19-0x000000001BC10000-0x000000001BC1C000-memory.dmp

Filesize
48KB

Download
memory/1508-20-0x000000001BC20000-0x000000001BC2C000-memory.dmp

Filesize
48KB

Download
memory/1508-25-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-26-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-136-0x000000001C5C0000-0x000000001C6C0000-memory.dmp

Filesize
1024KB

Download
memory/1508-149-0x000000001C5C0000-0x000000001C6C0000-memory.dmp

Filesize
1024KB

Download
memory/1508-197-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/1508-0-0x00000000003D0000-0x0000000000586000-memory.dmp

Filesize
1.7MB

Download
memory/1508-330-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-329-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-9-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/1508-3-0x0000000002670000-0x000000000268C000-memory.dmp

Filesize
112KB

Download
memory/1508-245-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1508-8-0x000000001B800000-0x000000001B812000-memory.dmp

Filesize
72KB

Download
memory/1508-4-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/1508-7-0x000000001B7E0000-0x000000001B7F6000-memory.dmp

Filesize
88KB

Download
memory/1508-468-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/1508-5-0x000000001B7C0000-0x000000001B7C8000-memory.dmp

Filesize
32KB

Download
memory/1508-6-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/1552-469-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/1552-484-0x0000018DD90D0000-0x0000018DD90E0000-memory.dmp

Filesize
64KB

Download
memory/1552-470-0x0000018DD90D0000-0x0000018DD90E0000-memory.dmp

Filesize
64KB

Download
memory/1884-465-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/1884-466-0x000001A844470000-0x000001A844480000-memory.dmp

Filesize
64KB

Download
memory/1884-467-0x000001A844470000-0x000001A844480000-memory.dmp

Filesize
64KB

Download
memory/1988-480-0x00000000031D0000-0x00000000031E2000-memory.dmp

Filesize
72KB

Download
memory/2964-485-0x000001CF7B5F0000-0x000001CF7B600000-memory.dmp

Filesize
64KB

Download
memory/2964-475-0x000001CF7B5F0000-0x000001CF7B600000-memory.dmp

Filesize
64KB

Download
memory/2964-474-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/3308-447-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/3848-331-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/3848-481-0x0000021451930000-0x0000021451940000-memory.dmp

Filesize
64KB

Download
memory/3848-343-0x0000021451930000-0x0000021451940000-memory.dmp

Filesize
64KB

Download
memory/4028-449-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/4028-483-0x000001C5B3D00000-0x000001C5B3D10000-memory.dmp

Filesize
64KB

Download
memory/4028-451-0x000001C5B3D00000-0x000001C5B3D10000-memory.dmp

Filesize
64KB

Download
memory/4028-460-0x000001C5B3D00000-0x000001C5B3D10000-memory.dmp

Filesize
64KB

Download
memory/4032-452-0x0000020750120000-0x0000020750130000-memory.dmp

Filesize
64KB

Download
memory/4032-482-0x0000020750120000-0x0000020750130000-memory.dmp

Filesize
64KB

Download
memory/4032-450-0x0000020750120000-0x0000020750130000-memory.dmp

Filesize
64KB

Download
memory/4032-448-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/4236-479-0x000001BF6C5A0000-0x000001BF6C5B0000-memory.dmp

Filesize
64KB

Download
memory/4236-359-0x000001BF6C5A0000-0x000001BF6C5B0000-memory.dmp

Filesize
64KB

Download
memory/4236-345-0x000001BF6C5A0000-0x000001BF6C5B0000-memory.dmp

Filesize
64KB

Download
memory/4236-332-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/4372-477-0x000002BDC58D0000-0x000002BDC58E0000-memory.dmp

Filesize
64KB

Download
memory/4372-478-0x000002BDC58D0000-0x000002BDC58E0000-memory.dmp

Filesize
64KB

Download
memory/4372-476-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/4928-338-0x000001CDF3680000-0x000001CDF36A2000-memory.dmp

Filesize
136KB

Download
memory/4928-434-0x000001CDDAF40000-0x000001CDDAF50000-memory.dmp

Filesize
64KB

Download
memory/4928-427-0x000001CDDAF40000-0x000001CDDAF50000-memory.dmp

Filesize
64KB

Download
memory/5040-471-0x00007FFAD8270000-0x00007FFAD8D31000-memory.dmp

Filesize
10.8MB

Download
memory/5040-473-0x00000221EC4C0000-0x00000221EC4D0000-memory.dmp

Filesize
64KB

Download
memory/5040-472-0x00000221EC4C0000-0x00000221EC4D0000-memory.dmp

Filesize
64KB

Download