dcrat | 271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
Size

829KB
MD5

78a0654a256451e953d47049aaa60200
SHA1

85eba2ba3f585a889380841c991937448ba61066
SHA256

271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855
SHA512

71cd1ddf7defc16a65db41aa0f93c55690e7c0dbbee04df8bc7efcffa251c9bbbeb6a471e02c621fc1767c19861d787d53bddfdab36d57d081cf875348b636b3
SSDEEP

12288:gVMHbu7aqZzgikCU6tLuY4pkZQbGGnTjkOcQrR0IeIsCaB5aAfCqEfSKIsza8t:numqZzVuY4G+bGGnHkUeaC6qEKKH

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4952	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1544-1-0x0000000000E80000-0x0000000000F56000-memory.dmp	dcrat
behavioral2/files/0x000b000000023b9f-11.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	Idle.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\WinBioDatabase\sppsvc.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\System32\WinBioDatabase\0a1fd5f707cd16	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\6ccacd8608530f	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Common Files\Idle.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\dotnet\host\SearchApp.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Windows Sidebar\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Google\Temp\dllhost.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Common Files\csrss.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Windows Sidebar\594b2439bafcf4	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Windows Media Player\Visualizations\dwm.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Common Files\886983d96e3d3e	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Windows Security\BrowserCore\6203df4a6bafc7	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\56085415360792	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Windows Security\BrowserCore\lsass.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Internet Explorer\upfc.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Windows Media Player\Visualizations\6cb0b6c459d5d3	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\dotnet\host\38384e6a620884	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\5b884080fd4f94	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Registry.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Internet Explorer\ea1d8f6d871115	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Common Files\microsoft shared\Idle.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\38384e6a620884	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files\Common Files\6ccacd8608530f	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ee2ad38f3d4382	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\wininit.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Google\Temp\5940a34987c991	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\594b2439bafcf4	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\lsass.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\ShellComponents\6203df4a6bafc7	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\Speech_OneCore\Engines\wininit.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\Speech_OneCore\Engines\56085415360792	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\Provisioning\Packages\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\Provisioning\Packages\594b2439bafcf4	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
File created	C:\Windows\rescache\Registry.exe	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4704	schtasks.exe
3688	schtasks.exe
1324	schtasks.exe
112	schtasks.exe
4504	schtasks.exe
4720	schtasks.exe
4936	schtasks.exe
4344	schtasks.exe
4324	schtasks.exe
3764	schtasks.exe
1888	schtasks.exe
1612	schtasks.exe
924	schtasks.exe
3032	schtasks.exe
1148	schtasks.exe
1644	schtasks.exe
4176	schtasks.exe
3328	schtasks.exe
452	schtasks.exe
5024	schtasks.exe
4868	schtasks.exe
3660	schtasks.exe
3820	schtasks.exe
1416	schtasks.exe
4900	schtasks.exe
4916	schtasks.exe
3188	schtasks.exe
4276	schtasks.exe
1808	schtasks.exe
4620	schtasks.exe
3300	schtasks.exe
4376	schtasks.exe
760	schtasks.exe
4884	schtasks.exe
3252	schtasks.exe
3164	schtasks.exe
5048	schtasks.exe
4744	schtasks.exe
2612	schtasks.exe
2336	schtasks.exe
4440	schtasks.exe
900	schtasks.exe
1336	schtasks.exe
2884	schtasks.exe
2692	schtasks.exe
860	schtasks.exe
1544	schtasks.exe
748	schtasks.exe
976	schtasks.exe
116	schtasks.exe
808	schtasks.exe
4516	schtasks.exe
964	schtasks.exe
2992	schtasks.exe
4164	schtasks.exe
4184	schtasks.exe
4828	schtasks.exe
3668	schtasks.exe
3708	schtasks.exe
1384	schtasks.exe
1388	schtasks.exe
4088	schtasks.exe
2200	schtasks.exe
3060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1544	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1544	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1544	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
3564	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
3564	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
3564	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
4484	Idle.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
Token: SeDebugPrivilege	1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
Token: SeDebugPrivilege	3564	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
Token: SeDebugPrivilege	4484	Idle.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1528	1544	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	120
PID 1544 wrote to memory of 1528	1544	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	120
PID 1528 wrote to memory of 3564	1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	179
PID 1528 wrote to memory of 3564	1528	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	179
PID 3564 wrote to memory of 4484	3564	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	222
PID 3564 wrote to memory of 4484	3564	271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe	222

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
"C:\Users\Admin\AppData\Local\Temp\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
  "C:\Users\Admin\AppData\Local\Temp\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe
    "C:\Users\Admin\AppData\Local\Temp\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Program Files\Common Files\Idle.exe
      "C:\Program Files\Common Files\Idle.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N2" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N2" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\WinBioDatabase\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\WinBioDatabase\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\WinBioDatabase\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ShellComponents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellComponents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N2" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N2" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /f
1⤵
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /f
1⤵
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sysmon.exe'" /f
1⤵
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\SearchApp.exe'" /f
1⤵
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Cookies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f
1⤵
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Registry.exe'" /rl HIGHEST /f
1⤵
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
1⤵
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\SearchApp.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\host\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N2" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Packages\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /rl HIGHEST /f
1⤵
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N2" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /f
1⤵
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855N.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Windows\System32\WinBioDatabase\sppsvc.exe

Filesize
829KB

MD5
78a0654a256451e953d47049aaa60200

SHA1
85eba2ba3f585a889380841c991937448ba61066

SHA256
271009f132fc388837832a08962ff48c1e76372e047b31cce3db4ad047746855

SHA512
71cd1ddf7defc16a65db41aa0f93c55690e7c0dbbee04df8bc7efcffa251c9bbbeb6a471e02c621fc1767c19861d787d53bddfdab36d57d081cf875348b636b3

Download Submit
memory/1544-0-0x00007FFCD46A3000-0x00007FFCD46A5000-memory.dmp

Filesize
8KB

Download
memory/1544-1-0x0000000000E80000-0x0000000000F56000-memory.dmp

Filesize
856KB

Download
memory/1544-4-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download
memory/1544-29-0x00007FFCD46A0000-0x00007FFCD5161000-memory.dmp

Filesize
10.8MB

Download