dcrat | 95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Size

1.7MB
MD5

274dfd128512553bde18a7d5e63afcf1
SHA1

3579d08a2a108e03cda8a8439380896106e998d9
SHA256

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e
SHA512

6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvQ:OTHUxUoh1IF9gl2x

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	520	schtasks.exe	85

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1628-1-0x0000000000F60000-0x0000000001120000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b8a-30.dat	dcrat
behavioral2/files/0x000a000000023bbf-59.dat	dcrat
behavioral2/files/0x000200000001e748-106.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
232	powershell.exe
436	powershell.exe
2220	powershell.exe
872	powershell.exe
596	powershell.exe
2004	powershell.exe
648	powershell.exe
1432	powershell.exe
888	powershell.exe
460	powershell.exe
3592	powershell.exe
4880	powershell.exe
1732	powershell.exe
4852	powershell.exe
4872	powershell.exe
3540	powershell.exe
1940	powershell.exe
2700	powershell.exe
3188	powershell.exe
2436	powershell.exe
4240	powershell.exe
4504	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 10 IoCs

pid	Process
2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
4652	conhost.exe
3620	conhost.exe
3996	conhost.exe
2452	conhost.exe
4804	conhost.exe
2088	conhost.exe
2060	conhost.exe
5116	conhost.exe
1888	conhost.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\088424020bedd6	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows NT\System.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RCX8890.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\conhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\ModifiableWindowsApps\smss.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCX7489.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\wininit.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX865C.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\RCX8AA6.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Mail\conhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Internet Explorer\images\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Internet Explorer\images\dd024b52bf4e97	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\7a0fd90576e088	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX7B94.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\upfc.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RCX8880.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7245.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX76AD.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\WindowsPowerShell\56085415360792	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCX7459.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\RCX8AA5.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\WindowsPowerShell\wininit.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX7B06.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX71A8.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX76CD.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\System.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\upfc.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\ea1d8f6d871115	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows NT\27d1bcfc3c54e0	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX863C.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Saved Games\RCX8201.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Saved Games\RCX8212.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Saved Games\RuntimeBroker.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\LanguageOverlayCache\StartMenuExperienceHost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Saved Games\RuntimeBroker.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Saved Games\9e8d7a4ca61bd9	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3668	schtasks.exe
1740	schtasks.exe
3704	schtasks.exe
4840	schtasks.exe
4904	schtasks.exe
2632	schtasks.exe
4564	schtasks.exe
3148	schtasks.exe
3632	schtasks.exe
3188	schtasks.exe
1520	schtasks.exe
4268	schtasks.exe
560	schtasks.exe
1296	schtasks.exe
1940	schtasks.exe
4648	schtasks.exe
4664	schtasks.exe
3344	schtasks.exe
1800	schtasks.exe
3104	schtasks.exe
4880	schtasks.exe
2148	schtasks.exe
3292	schtasks.exe
4536	schtasks.exe
2720	schtasks.exe
2700	schtasks.exe
3192	schtasks.exe
1328	schtasks.exe
1644	schtasks.exe
2268	schtasks.exe
436	schtasks.exe
4452	schtasks.exe
388	schtasks.exe
4104	schtasks.exe
4764	schtasks.exe
684	schtasks.exe
1940	schtasks.exe
1188	schtasks.exe
4996	schtasks.exe
4228	schtasks.exe
628	schtasks.exe
4540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
436	powershell.exe
436	powershell.exe
1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
2436	powershell.exe
2436	powershell.exe
2220	powershell.exe
460	powershell.exe
2220	powershell.exe
460	powershell.exe
3592	powershell.exe
3592	powershell.exe
4880	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	4652	conhost.exe
Token: SeDebugPrivilege	3620	conhost.exe
Token: SeDebugPrivilege	3996	conhost.exe
Token: SeDebugPrivilege	2452	conhost.exe
Token: SeDebugPrivilege	4804	conhost.exe
Token: SeDebugPrivilege	2088	conhost.exe
Token: SeDebugPrivilege	2060	conhost.exe
Token: SeDebugPrivilege	5116	conhost.exe
Token: SeDebugPrivilege	1888	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2700	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	128
PID 1628 wrote to memory of 2700	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	128
PID 1628 wrote to memory of 460	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	129
PID 1628 wrote to memory of 460	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	129
PID 1628 wrote to memory of 3188	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	130
PID 1628 wrote to memory of 3188	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	130
PID 1628 wrote to memory of 2436	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	131
PID 1628 wrote to memory of 2436	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	131
PID 1628 wrote to memory of 436	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	132
PID 1628 wrote to memory of 436	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	132
PID 1628 wrote to memory of 2220	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	133
PID 1628 wrote to memory of 2220	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	133
PID 1628 wrote to memory of 4880	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	134
PID 1628 wrote to memory of 4880	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	134
PID 1628 wrote to memory of 3592	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	135
PID 1628 wrote to memory of 3592	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	135
PID 1628 wrote to memory of 596	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	136
PID 1628 wrote to memory of 596	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	136
PID 1628 wrote to memory of 872	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	137
PID 1628 wrote to memory of 872	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	137
PID 1628 wrote to memory of 648	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	138
PID 1628 wrote to memory of 648	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	138
PID 1628 wrote to memory of 2924	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	150
PID 1628 wrote to memory of 2924	1628	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	150
PID 2924 wrote to memory of 1732	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	162
PID 2924 wrote to memory of 1732	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	162
PID 2924 wrote to memory of 888	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	163
PID 2924 wrote to memory of 888	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	163
PID 2924 wrote to memory of 232	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	164
PID 2924 wrote to memory of 232	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	164
PID 2924 wrote to memory of 1940	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	165
PID 2924 wrote to memory of 1940	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	165
PID 2924 wrote to memory of 1432	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	166
PID 2924 wrote to memory of 1432	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	166
PID 2924 wrote to memory of 2004	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	167
PID 2924 wrote to memory of 2004	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	167
PID 2924 wrote to memory of 3540	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	168
PID 2924 wrote to memory of 3540	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	168
PID 2924 wrote to memory of 4872	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	169
PID 2924 wrote to memory of 4872	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	169
PID 2924 wrote to memory of 4504	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	170
PID 2924 wrote to memory of 4504	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	170
PID 2924 wrote to memory of 4240	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	171
PID 2924 wrote to memory of 4240	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	171
PID 2924 wrote to memory of 4852	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	172
PID 2924 wrote to memory of 4852	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	172
PID 2924 wrote to memory of 3448	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	184
PID 2924 wrote to memory of 3448	2924	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	184
PID 3448 wrote to memory of 3052	3448	cmd.exe	187
PID 3448 wrote to memory of 3052	3448	cmd.exe	187
PID 3448 wrote to memory of 4652	3448	cmd.exe	189
PID 3448 wrote to memory of 4652	3448	cmd.exe	189
PID 4652 wrote to memory of 1340	4652	conhost.exe	191
PID 4652 wrote to memory of 1340	4652	conhost.exe	191
PID 4652 wrote to memory of 2532	4652	conhost.exe	192
PID 4652 wrote to memory of 2532	4652	conhost.exe	192
PID 1340 wrote to memory of 3620	1340	WScript.exe	196
PID 1340 wrote to memory of 3620	1340	WScript.exe	196
PID 3620 wrote to memory of 636	3620	conhost.exe	198
PID 3620 wrote to memory of 636	3620	conhost.exe	198
PID 3620 wrote to memory of 1428	3620	conhost.exe	199
PID 3620 wrote to memory of 1428	3620	conhost.exe	199
PID 636 wrote to memory of 3996	636	WScript.exe	200
PID 636 wrote to memory of 3996	636	WScript.exe	200

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
"C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
  "C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\omibxcOtOT.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3052
  - - C:\Program Files (x86)\Windows Mail\conhost.exe
      "C:\Program Files (x86)\Windows Mail\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fad52ece-840d-40f1-8025-8a55b135ee8f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89a808a7-80ae-4188-b5a9-a9e3ccb123b7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd218b8c-6d3a-4f99-aeda-747cda5f047b.vbs"
        9⤵
        
        PID:4028
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c3636ad-d137-4fd1-bb8d-9f845dc08cd3.vbs"
        11⤵
        
        PID:3572
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0eb3d33-6c46-4505-a1dc-8acffd5ee2a0.vbs"
        13⤵
        
        PID:1188
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87bcee01-a185-47a6-ba38-dbf3e92074b1.vbs"
        15⤵
        
        PID:732
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cdefa89-cca3-4d38-ace6-10cf83653f6e.vbs"
        17⤵
        
        PID:4808
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f66905e-d65f-4a3d-99e0-6c258976a1b1.vbs"
        19⤵
        
        PID:4956
        
        C:\Program Files (x86)\Windows Mail\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\conhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0da42ec0-5f87-494a-8844-2deccf3875a5.vbs"
        21⤵
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50867ee1-2c34-4d8f-9c3d-ddd42e8a15b2.vbs"
        21⤵
        
        PID:4564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14c6ec32-594c-43d3-8c7d-5f48953ec529.vbs"
        19⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c65e1f0-e891-4ff0-aff5-53a1172b0425.vbs"
        17⤵
        
        PID:980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67c10ca0-17a7-4cbf-a81a-f04441d6eba2.vbs"
        15⤵
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\974140f4-8b7e-4bcd-85d5-1e1e8d1a7aaf.vbs"
        13⤵
        
        PID:4012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17d562fe-1476-4967-957f-9f2f4bc83648.vbs"
        11⤵
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e01a635-8569-4ef7-bbc1-ddbeccdd3238.vbs"
        9⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1269ea44-c7e2-44e0-9b54-0d19d6270d7c.vbs"
        7⤵
        
        PID:1428
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b19ea71-db31-4d82-bbb0-5a9cc406b38e.vbs"
        5⤵
        
        PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\Camera Roll\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\Camera Roll\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e9" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e9" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\System.exe

Filesize
1.7MB

MD5
8ba7124c8d5f0d37821833aa6f2c7f6e

SHA1
98c426ba9150bb54e533e40f0a15e265d05f626b

SHA256
50a9512a3e14b63ff6e9eb8391b9cf18d598597b656019a0c719a05f12e87a04

SHA512
21d4ea210e284eba22388297839d583c23d40de1dc78e9c4ded78a4e34409767f48a3b9a67ddee65736e7023e29ad6fef7ddbafd501655c8e8cf18b47b28bb7a

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe

Filesize
1.7MB

MD5
fd550878fffd97da2f98de1ad7c2721f

SHA1
49f7aab66084c8d90ad176feca6561bb66f3d2cf

SHA256
7ac79dec781c61c52070a5b0f919d55507e8b72ace3edc74338699630977bbe2

SHA512
5d16a83df7cc3cfcf2b6323bb149e1846a13b3415912c5b6e1ea820c772d58a1af4dc18c6227005cc8120bf551948fd100f728ef3b8829f910e0c2b40407f51c

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe

Filesize
1.7MB

MD5
274dfd128512553bde18a7d5e63afcf1

SHA1
3579d08a2a108e03cda8a8439380896106e998d9

SHA256
95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

SHA512
6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f545274ba19d9199a78f74cd05e8187

SHA1
4036cf78d3f310af42963c8f16ae27c5922b5dff

SHA256
3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

SHA512
b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
705e397ba2c670b0b9fcebdd31e0feea

SHA1
8566fe7e0903b7495e659ba0588b72e3ce538c3b

SHA256
ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

SHA512
a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d27a1d5a0e5df109b4e95c72be4a483

SHA1
5df63646015d27872f4047e2658171db0af4863e

SHA256
062acb1f904f74222520f58b8a32d0d8ea0f98d6e6c690bac2c841c548eca2a8

SHA512
b4d2634ed58dbfde88d43bec3b67bf7a07670cc4d4e5bce9a72246e4b1aaeb8a8244c0518fe52a0d201c5a02ba7b4b869f36f5508d5129d2822ab0a469716332

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c3636ad-d137-4fd1-bb8d-9f845dc08cd3.vbs

Filesize
723B

MD5
39ba261d686a9a626bd0834b28540e4b

SHA1
e21772e5c50fed59c0536907ac0675ba6c40ba56

SHA256
87a1fef874306de2c4b4f13d8852f843fafecb443e108637b450e7d1395ccd09

SHA512
8d3e42030472fa457d2820d14381a60d669218c039b8eb436ddbda4d88ddb22907aa477fab02cb52b01624db4928015179c9ac498f4909219e61b41787119609

Download Submit
C:\Users\Admin\AppData\Local\Temp\0da42ec0-5f87-494a-8844-2deccf3875a5.vbs

Filesize
723B

MD5
9d1f922a493a8e482a6873eb994df4f5

SHA1
870ec7efc6a396f64a6b84e804dd2c6c22b4c995

SHA256
bbe8ba8d26131dfc1b82b2a2863f7a20b6bb679c84d15edd81af289905641273

SHA512
c917b153c56c477a2791e6584cef4594ccf2cc4f1b3dc655494cf108a3679a30a3414e96bbf7beb245c1f97e066cdaaf56dcfb0087468c7b85e54a4ceff230b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f66905e-d65f-4a3d-99e0-6c258976a1b1.vbs

Filesize
723B

MD5
8cb49f56888bf4baddc423b5d9a46622

SHA1
42f661edf8fb15e86179afa0f1abe5f5bf05eb26

SHA256
d432ec66f0f0e912554e9bd59e91db7a89ba2d8e2f32d873c9c9618ae6518cb2

SHA512
a387443fd49f40371dd780aa3f8a2637be3ca1205058778b192967601f0249b6e726611c7d3f9e114924601fc11e96d1073509d3ffe176526b3c1a6ed5b9535f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cdefa89-cca3-4d38-ace6-10cf83653f6e.vbs

Filesize
723B

MD5
86df464842e5508af09edd45f469baf1

SHA1
8b812fdff255a950deba566ae22f47a98a7f5aa0

SHA256
ba6e58d3ab55d98af9b09834d4eb959e3c5de6db90706fe406eee169b5cccbd3

SHA512
2dd4649bbf192186216c52e499fb7c0ec2a5b3d83841251ce110306f42fc83ee30cd6e314b0a16b08747cccd4cd2a0677c3192a26765afc2c449f58640503433

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b19ea71-db31-4d82-bbb0-5a9cc406b38e.vbs

Filesize
499B

MD5
83fe1b32085a086555171fe3735791b3

SHA1
0f0dccda2b9afdce8cf0fdc36100d7c2a5e43ee8

SHA256
d22d915da2a880aa57a993ef06c2ba68471d4d40da70a31062ad05db6a6b6d1c

SHA512
7918da2bd4d27adde73c34fb7ca439bce24e0a02b52cab59ff1c65aabcbcb511836fa202e7959cd985fb717027d875be740ca03b01edd501fedbeed2b66196a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\87bcee01-a185-47a6-ba38-dbf3e92074b1.vbs

Filesize
723B

MD5
8bb8f1aa447f3c84c46f113be7863c10

SHA1
f235d8fdb8afe419e6f1a4ab2022834b4bf1a169

SHA256
f37b868e0e708073828ad7eac2742387d28435c6329dd727d6c7bf058d489571

SHA512
ea9d74699488ed86efad986a72ac45bfef4819dbbe1efc56b93e82785702ae832195536717799928b1578abd8cfb41e02ce68034a5b03d6e93527c2490069ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\89a808a7-80ae-4188-b5a9-a9e3ccb123b7.vbs

Filesize
723B

MD5
4a5032d25baea5d0d6033af2a4f258ee

SHA1
4b1a7e712cfeae3ec43aa8ee0285c20ecc5189e6

SHA256
cd9a2f7cfb2d5af304211718b3a70a75657af7617e5b2cdf570211368e76186a

SHA512
150908f9e57781d418ccd8afff98586e9e4404a2c8a96d753875736a448416629278aa03404bcd062ead6de2d3136ebd73aaa7c48a193890be250ad151c11897

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4y33jsco.bow.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd218b8c-6d3a-4f99-aeda-747cda5f047b.vbs

Filesize
723B

MD5
d20447b8426566b6cd09c09d621b909b

SHA1
12c9464dea8e1b9a4aa707f4f4dc1b45483bdd2f

SHA256
5f91c6d9f133a8740779923b42f1a89ace3f7b628b072e895c0774ceff2af690

SHA512
c78eb606d19ea731bd8d1af201c514f7b41c21a07c6fa6440f1ca40ae1d6343f80b0d706e802d5f45eeb6a6125dfe73229c493498da4b61d377fc8397837fae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0eb3d33-6c46-4505-a1dc-8acffd5ee2a0.vbs

Filesize
723B

MD5
c4329f06157d8d84149ad6d4dc0c5a35

SHA1
4af98bac4fd477277a1d946857ba8c3a441baca5

SHA256
97abf98ae639dce4e44493b07677d64b2066dbcc6929dadd36eb2ccf1aceab56

SHA512
65cc833e05ae1bac09b29ac391bf0144c6c555007aba3134962b12c0167c364e3bc41b0a1d115d13f496df513472e62fa5a484abed73b1c26e39a295121f0726

Download Submit
C:\Users\Admin\AppData\Local\Temp\fad52ece-840d-40f1-8025-8a55b135ee8f.vbs

Filesize
723B

MD5
b1860719f117c09155f394b5c77ad242

SHA1
5de0ae487ef86fb5e0012ca2abcd8b06a7953d70

SHA256
9a860ac16839fa38d59763d738e90f1390ff8a8aaec7899f85da78f9590aa0c6

SHA512
b4f7f8e13349d3a10d610aca22d4624d36cec6ef4bfe0bd577093b4e4c1670ecf7fb8a8a8a88778a9a5f03c06757b6b1d35734deb31951afa67cd72d8505e731

Download Submit
C:\Users\Admin\AppData\Local\Temp\omibxcOtOT.bat

Filesize
212B

MD5
28f5c080954c43178c12d00379c29aad

SHA1
0e31843e43e94647e801dd3d7623f976b0a0834f

SHA256
4a54ccae85a1f5567c4d24999f9130039d0c07c9131f70849817d7eecc8f1b41

SHA512
15b619355c8cb8afc71b05b60744eee6c6983e7e61a6551a58dbc2252504b10b103dff5f1e1ddf93e8616da477bed8aae28598ef50522c3343dcceb3af7ae3e7

Download Submit
memory/436-202-0x000001FAA7900000-0x000001FAA7922000-memory.dmp

Filesize
136KB

Download
memory/1628-19-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/1628-14-0x000000001BF30000-0x000000001BF3C000-memory.dmp

Filesize
48KB

Download
memory/1628-299-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1628-206-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1628-161-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1628-145-0x00007FFB67ED3000-0x00007FFB67ED5000-memory.dmp

Filesize
8KB

Download
memory/1628-15-0x000000001BF40000-0x000000001BF4A000-memory.dmp

Filesize
40KB

Download
memory/1628-23-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1628-16-0x000000001BF50000-0x000000001BF5E000-memory.dmp

Filesize
56KB

Download
memory/1628-22-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1628-17-0x000000001BF60000-0x000000001BF68000-memory.dmp

Filesize
32KB

Download
memory/1628-0-0x00007FFB67ED3000-0x00007FFB67ED5000-memory.dmp

Filesize
8KB

Download
memory/1628-18-0x000000001BF70000-0x000000001BF7C000-memory.dmp

Filesize
48KB

Download
memory/1628-1-0x0000000000F60000-0x0000000001120000-memory.dmp

Filesize
1.8MB

Download
memory/1628-13-0x000000001CAD0000-0x000000001CFF8000-memory.dmp

Filesize
5.2MB

Download
memory/1628-2-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1628-12-0x00000000035E0000-0x00000000035F2000-memory.dmp

Filesize
72KB

Download
memory/1628-10-0x00000000035D0000-0x00000000035D8000-memory.dmp

Filesize
32KB

Download
memory/1628-4-0x000000001BEC0000-0x000000001BF10000-memory.dmp

Filesize
320KB

Download
memory/1628-5-0x00000000018E0000-0x00000000018E8000-memory.dmp

Filesize
32KB

Download
memory/1628-3-0x0000000001900000-0x000000000191C000-memory.dmp

Filesize
112KB

Download
memory/1628-6-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/1628-9-0x00000000035C0000-0x00000000035CC000-memory.dmp

Filesize
48KB

Download
memory/1628-7-0x0000000003590000-0x00000000035A6000-memory.dmp

Filesize
88KB

Download
memory/1628-8-0x00000000035B0000-0x00000000035C0000-memory.dmp

Filesize
64KB

Download
memory/2924-300-0x000000001B1E0000-0x000000001B1F2000-memory.dmp

Filesize
72KB

Download
memory/3996-486-0x000000001BD80000-0x000000001BD92000-memory.dmp

Filesize
72KB

Download
memory/4652-462-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download