dcrat | 6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Size

1.7MB
MD5

96eb6349f62024cbe4512ce6fe98e9ca
SHA1

ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f
SHA256

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c
SHA512

5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4588	schtasks.exe	82

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4496-1-0x00000000009F0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbf-30.dat	dcrat
behavioral2/files/0x000b000000023cc9-61.dat	dcrat
behavioral2/files/0x0009000000023cb3-72.dat	dcrat
behavioral2/files/0x000c000000023cb6-106.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3772	powershell.exe
3388	powershell.exe
3116	powershell.exe
2016	powershell.exe
4392	powershell.exe
3544	powershell.exe
5056	powershell.exe
3232	powershell.exe
3076	powershell.exe
2940	powershell.exe
1952	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Executes dropped EXE 10 IoCs

pid	Process
100	RuntimeBroker.exe
2736	RuntimeBroker.exe
4560	RuntimeBroker.exe
3228	RuntimeBroker.exe
4500	RuntimeBroker.exe
1836	RuntimeBroker.exe
2688	RuntimeBroker.exe
716	RuntimeBroker.exe
3228	RuntimeBroker.exe
4500	RuntimeBroker.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\121e5b5079f7c0	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\9e8d7a4ca61bd9	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCXD613.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCXD691.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\sysmon.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXDD2D.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Java\jdk-1.8\sysmon.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXDDAB.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\SppExtComObj.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\fr-FR\SearchApp.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\e1ef82546f0b02	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\fr-FR\SearchApp.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\it-IT\RCXD895.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\it-IT\sppsvc.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\it-IT\sppsvc.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\fr-FR\RCXDAAC.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\RCXD40E.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\SppExtComObj.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\it-IT\RCXD896.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\fr-FR\RCXDAAB.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\it-IT\0a1fd5f707cd16	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\fr-FR\38384e6a620884	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\RCXD390.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2316	schtasks.exe
1836	schtasks.exe
2436	schtasks.exe
1980	schtasks.exe
4968	schtasks.exe
4028	schtasks.exe
3144	schtasks.exe
2896	schtasks.exe
2432	schtasks.exe
2932	schtasks.exe
3852	schtasks.exe
5072	schtasks.exe
2300	schtasks.exe
4720	schtasks.exe
2152	schtasks.exe
1512	schtasks.exe
3264	schtasks.exe
4948	schtasks.exe
1472	schtasks.exe
4568	schtasks.exe
5012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
3388	powershell.exe
3388	powershell.exe
1952	powershell.exe
1952	powershell.exe
2016	powershell.exe
2016	powershell.exe
3772	powershell.exe
3772	powershell.exe
3116	powershell.exe
3116	powershell.exe
2940	powershell.exe
2940	powershell.exe
5056	powershell.exe
5056	powershell.exe
3076	powershell.exe
3076	powershell.exe
4392	powershell.exe
4392	powershell.exe
3544	powershell.exe
3544	powershell.exe
3232	powershell.exe
3232	powershell.exe
3076	powershell.exe
4392	powershell.exe
5056	powershell.exe
1952	powershell.exe
2016	powershell.exe
2940	powershell.exe
3388	powershell.exe
3116	powershell.exe
3772	powershell.exe
3232	powershell.exe
3544	powershell.exe
100	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	100	RuntimeBroker.exe
Token: SeDebugPrivilege	2736	RuntimeBroker.exe
Token: SeDebugPrivilege	4560	RuntimeBroker.exe
Token: SeDebugPrivilege	3228	RuntimeBroker.exe
Token: SeDebugPrivilege	4500	RuntimeBroker.exe
Token: SeDebugPrivilege	1836	RuntimeBroker.exe
Token: SeDebugPrivilege	2688	RuntimeBroker.exe
Token: SeDebugPrivilege	716	RuntimeBroker.exe
Token: SeDebugPrivilege	3228	RuntimeBroker.exe
Token: SeDebugPrivilege	4500	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3544	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	104
PID 4496 wrote to memory of 3544	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	104
PID 4496 wrote to memory of 1952	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	105
PID 4496 wrote to memory of 1952	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	105
PID 4496 wrote to memory of 3772	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	106
PID 4496 wrote to memory of 3772	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	106
PID 4496 wrote to memory of 3388	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	107
PID 4496 wrote to memory of 3388	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	107
PID 4496 wrote to memory of 5056	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	108
PID 4496 wrote to memory of 5056	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	108
PID 4496 wrote to memory of 3232	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	109
PID 4496 wrote to memory of 3232	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	109
PID 4496 wrote to memory of 3076	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	110
PID 4496 wrote to memory of 3076	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	110
PID 4496 wrote to memory of 3116	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	111
PID 4496 wrote to memory of 3116	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	111
PID 4496 wrote to memory of 2016	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	112
PID 4496 wrote to memory of 2016	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	112
PID 4496 wrote to memory of 4392	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	113
PID 4496 wrote to memory of 4392	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	113
PID 4496 wrote to memory of 2940	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	114
PID 4496 wrote to memory of 2940	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	114
PID 4496 wrote to memory of 216	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	126
PID 4496 wrote to memory of 216	4496	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	126
PID 216 wrote to memory of 4748	216	cmd.exe	128
PID 216 wrote to memory of 4748	216	cmd.exe	128
PID 216 wrote to memory of 100	216	cmd.exe	129
PID 216 wrote to memory of 100	216	cmd.exe	129
PID 100 wrote to memory of 4212	100	RuntimeBroker.exe	132
PID 100 wrote to memory of 4212	100	RuntimeBroker.exe	132
PID 100 wrote to memory of 1440	100	RuntimeBroker.exe	133
PID 100 wrote to memory of 1440	100	RuntimeBroker.exe	133
PID 4212 wrote to memory of 2736	4212	WScript.exe	138
PID 4212 wrote to memory of 2736	4212	WScript.exe	138
PID 2736 wrote to memory of 4208	2736	RuntimeBroker.exe	139
PID 2736 wrote to memory of 4208	2736	RuntimeBroker.exe	139
PID 2736 wrote to memory of 2280	2736	RuntimeBroker.exe	140
PID 2736 wrote to memory of 2280	2736	RuntimeBroker.exe	140
PID 4208 wrote to memory of 4560	4208	WScript.exe	143
PID 4208 wrote to memory of 4560	4208	WScript.exe	143
PID 4560 wrote to memory of 4936	4560	RuntimeBroker.exe	144
PID 4560 wrote to memory of 4936	4560	RuntimeBroker.exe	144
PID 4560 wrote to memory of 764	4560	RuntimeBroker.exe	145
PID 4560 wrote to memory of 764	4560	RuntimeBroker.exe	145
PID 4936 wrote to memory of 3228	4936	WScript.exe	146
PID 4936 wrote to memory of 3228	4936	WScript.exe	146
PID 3228 wrote to memory of 5012	3228	RuntimeBroker.exe	147
PID 3228 wrote to memory of 5012	3228	RuntimeBroker.exe	147
PID 3228 wrote to memory of 3496	3228	RuntimeBroker.exe	148
PID 3228 wrote to memory of 3496	3228	RuntimeBroker.exe	148
PID 5012 wrote to memory of 4500	5012	WScript.exe	149
PID 5012 wrote to memory of 4500	5012	WScript.exe	149
PID 4500 wrote to memory of 4948	4500	RuntimeBroker.exe	150
PID 4500 wrote to memory of 4948	4500	RuntimeBroker.exe	150
PID 4500 wrote to memory of 4312	4500	RuntimeBroker.exe	151
PID 4500 wrote to memory of 4312	4500	RuntimeBroker.exe	151
PID 4948 wrote to memory of 1836	4948	WScript.exe	152
PID 4948 wrote to memory of 1836	4948	WScript.exe	152
PID 1836 wrote to memory of 3788	1836	RuntimeBroker.exe	153
PID 1836 wrote to memory of 3788	1836	RuntimeBroker.exe	153
PID 1836 wrote to memory of 4056	1836	RuntimeBroker.exe	154
PID 1836 wrote to memory of 4056	1836	RuntimeBroker.exe	154
PID 3788 wrote to memory of 2688	3788	WScript.exe	155
PID 3788 wrote to memory of 2688	3788	WScript.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
"C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mtbJLPzJ4Q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4748
- - C:\Users\All Users\RuntimeBroker.exe
    "C:\Users\All Users\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2be75961-61d9-4209-a9ce-f40b45dd1a83.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993c2db5-097e-42d6-be2e-3e7b94a83da4.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc8cf784-0e5e-4116-8e80-b2949743cbe4.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df81fe12-77b8-4060-aa22-fd545ceac0b4.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3139d2a2-c740-4612-8e16-d723c2f01cfa.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4073821-682c-4b28-be82-ae67ee02b184.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87e1cac5-4958-4b32-8396-2050bfa7b08d.vbs"
        16⤵
        
        PID:924
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9da03e31-fa07-49dd-97e1-662277bb0db8.vbs"
        18⤵
        
        PID:1008
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c123bb48-3fd3-4490-b75c-00e9778275cf.vbs"
        20⤵
        
        PID:3236
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1997677-2d00-40db-b1e4-6a03e82b3a16.vbs"
        22⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd38a2fe-349c-402a-9d72-00c05bed767c.vbs"
        22⤵
        
        PID:3492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee9d06eb-83b3-4d29-bc0f-5fecd24313e1.vbs"
        20⤵
        
        PID:4716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3033e5a8-559d-429f-badd-6886f0f23768.vbs"
        18⤵
        
        PID:224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\900b19e9-39e9-4fc2-82bc-5910f785c889.vbs"
        16⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f0b21f0-3bbc-4918-a2ef-d11a62a914a7.vbs"
        14⤵
        
        PID:4056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2ecaa6-0890-43a1-a60f-dfd3cce89384.vbs"
        12⤵
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1937bc6-a183-4c5c-83fb-9aa82f835601.vbs"
        10⤵
        
        PID:3496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\262baf30-d8c9-44f6-9e6c-761c342936d8.vbs"
        8⤵
        
        PID:764
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7deabd-482e-43c7-b784-fa76d4c4f4b3.vbs"
        6⤵
        
        PID:2280
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b4468d-39bc-40d6-9861-c87be9c7353a.vbs"
      4⤵
      PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk-1.8\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\fr-FR\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\sysmon.exe

Filesize
1.7MB

MD5
c48e4c69ccb2487fdcffece4acfff356

SHA1
acc5e9170c8fbe314a3540bdca2ef8b1e38ab665

SHA256
0aa06f211d3000cb8f066105b54307123edbdb778144ca64e74380b6c93900aa

SHA512
acd8d36547b4efb296f0ee8e055e14bfd6347de14bf96f96bf8aed85acc51fc547ad2638bab79ffb084ec0d64846365d9fc1b24a545fcf7365c9e7170d384ccb

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe

Filesize
1.7MB

MD5
451ac8b5a8cd2eed68449137c1aff7fe

SHA1
5906bd02fdab1ac8fc9ffe228978f43b09c75d50

SHA256
c0015a68a4f3dd0a351019e43df93223aa82db35762662c28a6580c7deb8e981

SHA512
65098b2ef2ab1f80fe9034e3eaf99d430724707a99c9bd956d19d62520866f1dc78297827a9f9dcc8f7b424b506a793788fceb8a0513ad4ad712e15fe9684d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2be75961-61d9-4209-a9ce-f40b45dd1a83.vbs

Filesize
711B

MD5
91fd4132b522164e42b95ad4e20c81bf

SHA1
babc6b412c10f4288c50b0cc121f2c85f272e366

SHA256
f6bbe82d84ca77e9922fcf239ee5f0a2f375cc95953ab9f9c3b6dc0162e33ab7

SHA512
0dbe5014e83d25031090368163c35b16a6878e1a71bb249871074212b435256c6d3b84fce847ac4db75bb554a2ee95f3c27270b01739a8ecb6038803aaefa758

Download Submit
C:\Users\Admin\AppData\Local\Temp\3139d2a2-c740-4612-8e16-d723c2f01cfa.vbs

Filesize
712B

MD5
32cbabd5da2de0a9750df655e921926b

SHA1
29e1d9350add4a2af8339567d05af8284a34ab6b

SHA256
c5fe3c7f80b60852afe3e1f311f97221f33e63ae46057d793d179a48676689fe

SHA512
53a1f45ae6a02ba25c32947a88808f4b40cc9d94c53f14d8c72850c9e1d0c3225ad385372b111c4f71432da236c40a198b29856a0911ff317854a7436ce98b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\87e1cac5-4958-4b32-8396-2050bfa7b08d.vbs

Filesize
712B

MD5
db9c68670051ff54cde29cf8edf27e27

SHA1
d9764813c8dc9405660a2c582947586e7cdca38a

SHA256
70ca1c8691c1857c08ebd9cdeef859cea71c754e9e49980a000b6525dfdee930

SHA512
670b61f5b9c4922bdddba3028d7c0fc430c38bb001b9f2ec24a3ce5c30fb82fb218c76389ade7e20aec019218a038190c5c28a9e90749d826a2c47b622bfda41

Download Submit
C:\Users\Admin\AppData\Local\Temp\993c2db5-097e-42d6-be2e-3e7b94a83da4.vbs

Filesize
712B

MD5
d46ab4a25d748d677f85d7fe0007071c

SHA1
87f36cd433dab2445ca33fb55a8808fba90686d2

SHA256
c2f7a54b49eb3c219aa67f0df2e63c1b4d277ed067604417dfdf9c5a2a4b0d3e

SHA512
660beb86cca2f8073cf7a2d046b06e0ce03bd697ee6de400fea5aae179043fa3a68e74a707a41ca7f7dfbc2218739a98b9999b186ed78346389ae6711a8ead98

Download Submit
C:\Users\Admin\AppData\Local\Temp\9da03e31-fa07-49dd-97e1-662277bb0db8.vbs

Filesize
711B

MD5
2c9a43c7c8b968b56e20ab71ebfea02f

SHA1
4357d5e65f5b708a88cf2634d26df5cd60fc6ef7

SHA256
e98c5c15308cb1b27f9ea73ce8527fa98e5a63f0c8d6021a3813742d3eeea56b

SHA512
2df3494642b35eb5c7fb546827a17813c2e27724ae699639a7ad533969e6f51d9b155ce341f33d5bd9a5d9080c693b2b41d3ce000b84bbd37cc897a9a1f4218a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lsj32tfw.502.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1742d99070a783e6faf2758b8d21767d1305c36.exe

Filesize
1.7MB

MD5
10afa5392eba9be8662b7bf100918541

SHA1
4a6dd9865a7f6e265e64644fa14b38806ce11abb

SHA256
914aea411c492586d2c8cc2d5edbe3fd72bc772185be864842e188012bf7e84d

SHA512
b6ca364d6d17125d328e2c33d1b60e8579d572e82a1e46f416464fc057ffaf4868343f935eef45f9abaf02ddbe512bd4526f5f391ffe01b2c6ae630cc411c0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4073821-682c-4b28-be82-ae67ee02b184.vbs

Filesize
712B

MD5
f548490deaae9b25ce45828f26454492

SHA1
a7c3e2cd9db118e1a90172c7b4c4f450796483c0

SHA256
fe83578cbcf8f08a48641d1ee5d36f465e634f05e9c0b64169d26267d3ae8b33

SHA512
1e31fc2f7882793b5daca08ee527599248073df45e82b5605f10e9a311ae225e1189c3cea92ec4a49ffd5b12d24f189458e6331b8b80bb93f49f296366cabe62

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0b4468d-39bc-40d6-9861-c87be9c7353a.vbs

Filesize
488B

MD5
9b8bb92939d834f016c328dfe1dc9274

SHA1
7b87926c722a068131bd791c8d70c1051ff6d725

SHA256
01f1b5290b36283f829f012b1d23cf582326aba48649d2c0553fa8f0cbe4cead

SHA512
01d19c4ea1c3497941970ffc8839155c2b8291865dc5cc2d3cad2a0d866b1a51b66cf2e6f7f7c3fd3cf506b2e8641993ad592a8859b262a839b764cd504f5b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc8cf784-0e5e-4116-8e80-b2949743cbe4.vbs

Filesize
712B

MD5
843be749e12c1949f40632d07459c1f2

SHA1
ec342ea43f530540ed831c50531a1fb0a6118faa

SHA256
f08151d5a86ca3c2911a2915efab8bf1923aaddca0bbdc01c419a62989a196ff

SHA512
f3bd5c044cc880bf3b444fb79aa65514fc0c59f72aedea4bf7ff85ab87e784bc9a0164057c8074cc851c576f0fc4c6eb868b230265a218cda41b892aa9d851cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\df81fe12-77b8-4060-aa22-fd545ceac0b4.vbs

Filesize
712B

MD5
e8abec004a73d63f7b2a85144fcaa7ec

SHA1
5e868250142e5c3c28eafd63a053366a3ce2a930

SHA256
d0da999bae7bfc57549bb63826c1e54a85456fc59235a3c33e265ad5a3d52354

SHA512
59098fb936c52adc1e07acf56f5ac1e7b66ebbb39e7173ed1ed4bebf46d80107c83551db0076840e725c507c554200953a5538f2aaa054b09319d488074a4406

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtbJLPzJ4Q.bat

Filesize
201B

MD5
c6d36dcf8fd91f374d3eabce0cfb127d

SHA1
9179eb326673ea97d00cf5dcd0414764c9e070a2

SHA256
8857c4ad98353e3386647fd68dac2b288c70903dd47d4b99306e6ad32e46fe87

SHA512
565932d760cdb622c86e4ce1fdd60bba0056c77f155d05b8a3bcfbe81cf638129934da86fe9b154f15a11e4228676c2b23686abfab348abf3359fbd42d76415e

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\SppExtComObj.exe

Filesize
1.7MB

MD5
adf30420056441c9436352439634a64e

SHA1
41ad482b550ca0920a1bd1f36ce510f7d24434df

SHA256
889496cddd4919b8508068a86b503c5164e269f5f7c43abf7cc370dd6f900824

SHA512
3011484558f10ddcf660fb193e2993ac132498f13242b37b636691c0d9d25f51d8224d1b3ea332e5771221faed049cf042f51d1ae2bb808b31f5aba6b73a6437

Download Submit
C:\Windows\fr-FR\SearchApp.exe

Filesize
1.7MB

MD5
96eb6349f62024cbe4512ce6fe98e9ca

SHA1
ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f

SHA256
6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

SHA512
5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4

Download Submit
memory/2016-126-0x0000020ADB830000-0x0000020ADB852000-memory.dmp

Filesize
136KB

Download
memory/4496-7-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/4496-0-0x00007FF9D5903000-0x00007FF9D5905000-memory.dmp

Filesize
8KB

Download
memory/4496-155-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-10-0x000000001BE30000-0x000000001BE38000-memory.dmp

Filesize
32KB

Download
memory/4496-12-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/4496-8-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4496-5-0x0000000002C60000-0x0000000002C68000-memory.dmp

Filesize
32KB

Download
memory/4496-6-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/4496-4-0x000000001BE80000-0x000000001BED0000-memory.dmp

Filesize
320KB

Download
memory/4496-3-0x0000000002DD0000-0x0000000002DEC000-memory.dmp

Filesize
112KB

Download
memory/4496-2-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-9-0x0000000002E40000-0x0000000002E4C000-memory.dmp

Filesize
48KB

Download
memory/4496-22-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-1-0x00000000009F0000-0x0000000000BB0000-memory.dmp

Filesize
1.8MB

Download
memory/4496-23-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-19-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

Filesize
48KB

Download
memory/4496-16-0x000000001C150000-0x000000001C15E000-memory.dmp

Filesize
56KB

Download
memory/4496-13-0x000000001C400000-0x000000001C928000-memory.dmp

Filesize
5.2MB

Download
memory/4496-18-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

Filesize
48KB

Download
memory/4496-17-0x000000001BFD0000-0x000000001BFD8000-memory.dmp

Filesize
32KB

Download
memory/4496-15-0x000000001C140000-0x000000001C14A000-memory.dmp

Filesize
40KB

Download
memory/4496-14-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/4500-300-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download