dcrat | e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386

Analysis

max time kernel
102s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Size

1.7MB
MD5

a55ec0151237a920dfd1fbce1dacca26
SHA1

b3abf9945fc79c6a57c16dd519de7027d4ebd4b3
SHA256

e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386
SHA512

c064443dc5f5759f4f36cdf230e13486a6a2af673e4f59bb02ae6e21f60b0fff115d580cf69eaeed17d5c5ec40e127c4a1c02a9beccd3243e00b7ad5d973d617
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJC:NgwuuEpdDLNwVMeXDL0fdSzAGL

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2976	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	2976	schtasks.exe	83

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3352-1-0x00000000009F0000-0x0000000000BA6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c78-31.dat	dcrat
behavioral2/files/0x0009000000023c77-52.dat	dcrat
behavioral2/files/0x0007000000023c6a-196.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
3940	powershell.exe
3136	powershell.exe
3232	powershell.exe
2876	powershell.exe
1488	powershell.exe
2080	powershell.exe
1572	powershell.exe
564	powershell.exe
2016	powershell.exe
4996	powershell.exe
1784	powershell.exe
1496	powershell.exe
4744	powershell.exe
4728	powershell.exe
2496	powershell.exe
1860	powershell.exe
3876	powershell.exe
4756	powershell.exe
3188	powershell.exe
4664	powershell.exe
2872	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 3 IoCs

pid	Process
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4976	OfficeClickToRun.exe
2552	OfficeClickToRun.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AppLocker\sppsvc.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Windows\SysWOW64\AppLocker\0a1fd5f707cd16	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Windows\SysWOW64\AppLocker\sppsvc.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\e6c9b481da804f	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Microsoft.NET\wininit.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Crashpad\reports\121e5b5079f7c0	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Crashpad\reports\sysmon.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXBBF0.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\e6c9b481da804f	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Microsoft.NET\56085415360792	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\wininit.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Crashpad\reports\sysmon.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXBBD0.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXC087.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXC088.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\debug\Idle.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Windows\debug\6ccacd8608530f	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Windows\debug\RCXBE04.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Windows\debug\RCXBE82.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Windows\debug\Idle.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Windows\ShellExperiences\System.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Windows\ShellExperiences\27d1bcfc3c54e0	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Windows\ShellExperiences\System.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2444	schtasks.exe
3204	schtasks.exe
1372	schtasks.exe
2248	schtasks.exe
1776	schtasks.exe
2424	schtasks.exe
2740	schtasks.exe
4188	schtasks.exe
3672	schtasks.exe
4924	schtasks.exe
312	schtasks.exe
1196	schtasks.exe
4752	schtasks.exe
4696	schtasks.exe
3756	schtasks.exe
2708	schtasks.exe
4340	schtasks.exe
2780	schtasks.exe
444	schtasks.exe
1460	schtasks.exe
64	schtasks.exe
1196	schtasks.exe
4136	schtasks.exe
4680	schtasks.exe
3264	schtasks.exe
3620	schtasks.exe
3380	schtasks.exe
1800	schtasks.exe
4140	schtasks.exe
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
3940	powershell.exe
3940	powershell.exe
4728	powershell.exe
4728	powershell.exe
1860	powershell.exe
1860	powershell.exe
4744	powershell.exe
4744	powershell.exe
3136	powershell.exe
3136	powershell.exe
4756	powershell.exe
4756	powershell.exe
2080	powershell.exe
2080	powershell.exe
2496	powershell.exe
2496	powershell.exe
3188	powershell.exe
3188	powershell.exe
1572	powershell.exe
1572	powershell.exe
1488	powershell.exe
1488	powershell.exe
3136	powershell.exe
3940	powershell.exe
1860	powershell.exe
3188	powershell.exe
4744	powershell.exe
4756	powershell.exe
4728	powershell.exe
2080	powershell.exe
1488	powershell.exe
1572	powershell.exe
2496	powershell.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	4976	OfficeClickToRun.exe
Token: SeDebugPrivilege	2552	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4744	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	94
PID 3352 wrote to memory of 4744	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	94
PID 3352 wrote to memory of 1488	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	95
PID 3352 wrote to memory of 1488	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	95
PID 3352 wrote to memory of 2080	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	96
PID 3352 wrote to memory of 2080	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	96
PID 3352 wrote to memory of 3940	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	97
PID 3352 wrote to memory of 3940	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	97
PID 3352 wrote to memory of 4728	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	98
PID 3352 wrote to memory of 4728	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	98
PID 3352 wrote to memory of 4756	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	99
PID 3352 wrote to memory of 4756	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	99
PID 3352 wrote to memory of 2496	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	100
PID 3352 wrote to memory of 2496	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	100
PID 3352 wrote to memory of 1572	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	101
PID 3352 wrote to memory of 1572	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	101
PID 3352 wrote to memory of 1860	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	102
PID 3352 wrote to memory of 1860	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	102
PID 3352 wrote to memory of 3136	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	103
PID 3352 wrote to memory of 3136	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	103
PID 3352 wrote to memory of 3188	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	104
PID 3352 wrote to memory of 3188	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	104
PID 3352 wrote to memory of 4560	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	115
PID 3352 wrote to memory of 4560	3352	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	115
PID 4560 wrote to memory of 5052	4560	cmd.exe	118
PID 4560 wrote to memory of 5052	4560	cmd.exe	118
PID 4560 wrote to memory of 4056	4560	cmd.exe	120
PID 4560 wrote to memory of 4056	4560	cmd.exe	120
PID 4056 wrote to memory of 2016	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	147
PID 4056 wrote to memory of 2016	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	147
PID 4056 wrote to memory of 4664	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	148
PID 4056 wrote to memory of 4664	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	148
PID 4056 wrote to memory of 3232	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	149
PID 4056 wrote to memory of 3232	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	149
PID 4056 wrote to memory of 4996	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	150
PID 4056 wrote to memory of 4996	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	150
PID 4056 wrote to memory of 1784	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	151
PID 4056 wrote to memory of 1784	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	151
PID 4056 wrote to memory of 564	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	152
PID 4056 wrote to memory of 564	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	152
PID 4056 wrote to memory of 1496	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	153
PID 4056 wrote to memory of 1496	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	153
PID 4056 wrote to memory of 2876	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	154
PID 4056 wrote to memory of 2876	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	154
PID 4056 wrote to memory of 1044	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	155
PID 4056 wrote to memory of 1044	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	155
PID 4056 wrote to memory of 2872	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	156
PID 4056 wrote to memory of 2872	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	156
PID 4056 wrote to memory of 3876	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	157
PID 4056 wrote to memory of 3876	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	157
PID 4056 wrote to memory of 4976	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	171
PID 4056 wrote to memory of 4976	4056	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	171
PID 4976 wrote to memory of 3952	4976	OfficeClickToRun.exe	172
PID 4976 wrote to memory of 3952	4976	OfficeClickToRun.exe	172
PID 4976 wrote to memory of 2548	4976	OfficeClickToRun.exe	173
PID 4976 wrote to memory of 2548	4976	OfficeClickToRun.exe	173
PID 3952 wrote to memory of 2552	3952	WScript.exe	178
PID 3952 wrote to memory of 2552	3952	WScript.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
"C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzT2T8LEge.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5052
- - C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
    "C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe
      "C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4426749f-48a7-4856-9a82-306f20e1d81a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e839dc2e-579a-4998-afdf-33aab5a77460.vbs"
        5⤵
        
        PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\debug\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\reports\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\AppLocker\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SysWOW64\AppLocker\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\AppLocker\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
307f2ff88aa5285fefdac601d8e516b2

SHA1
adc77c4b60b0e3e0caf606cdfa12a14ac1114877

SHA256
0ab5bc86fe7d968023b8aefc17f229251ca596e4a7436581d921d762fdd6d569

SHA512
6cbd566c374841aae8a056dd83d570da5d583ee8c110a69e2cf840a4dc975a925e57f772449c7c805df51b8ecce2831e139509238bebe0b4b1d4a47d12182918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfb3f21f75cad7300c80e6ef6f87f8f7

SHA1
85b7fbc6443396860235d6de887e85b7d972534f

SHA256
865104106276644c059a0383c220f010a258c79443f7f17216b98f0b40923dba

SHA512
1d4fd79d62fc0e75fa2c77f037409a8df0b22d0fc6b1d9768312855f10d9a98e5369b2930dca1ed524f0abefa0941e3ee745b00edd5c5bf1b1424a06ad04ce4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Temp\4426749f-48a7-4856-9a82-306f20e1d81a.vbs

Filesize
744B

MD5
dc36d28e65fb4f7495c2139c4f56b658

SHA1
9a88d651a8fed14ac239d6dd4b70e54a5a858704

SHA256
aa085ccad74ab3ae18d10300f13af6792b983bdf2c6222ce1814a0dbf2094b76

SHA512
9a6c133c4ffcbde93ea06869a4517df0963959cf10b4c8a680907e0fc328234b2be88107ec4ff1574fa129a3375e8ca5572fe864f7d5d965aa143909608495fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzT2T8LEge.bat

Filesize
267B

MD5
887244451f3e633f30e86956384793ab

SHA1
bd13b22c4ca8cf23aa23ee2a0af531e04a03089d

SHA256
7dd286d0352061cf9af493e7ce78db1e6f6a67244d105372baf7064caa234c17

SHA512
9ca5b223e0f45e43240e41f94c0ba6053a8eced2fb9d60d7d19966f6b0e1c69a65ef3305a1abe6e8bcf20ca4255742546d34bc668227d743e7f72c159fd772c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXB9CB.tmp

Filesize
1.7MB

MD5
7e230d7061450e5e7d410e18140ca580

SHA1
5ed53f720d72878e0b908d335b85ebee8a6a5e5f

SHA256
6999be600ef5013ebb9f112446d413bfa121b2e7e1c2c491587432f489f462e7

SHA512
b9aeaaabf25a9c1ba068d8005c8f92b0ac0c65a93d3fd9df54661af72aa8eca1341ab54b44928b6258f2396c59eccceec9f46e7d10810855e5cfb5d37b88b688

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e32d0dxw.tlu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Filesize
1.7MB

MD5
a55ec0151237a920dfd1fbce1dacca26

SHA1
b3abf9945fc79c6a57c16dd519de7027d4ebd4b3

SHA256
e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386

SHA512
c064443dc5f5759f4f36cdf230e13486a6a2af673e4f59bb02ae6e21f60b0fff115d580cf69eaeed17d5c5ec40e127c4a1c02a9beccd3243e00b7ad5d973d617

Download Submit
C:\Users\Admin\AppData\Local\Temp\e839dc2e-579a-4998-afdf-33aab5a77460.vbs

Filesize
520B

MD5
9de18f59b281c404e49cafe58b9c1303

SHA1
e57aa388743e7419aa9a11a95402b26b6a53ee9c

SHA256
a080bf16ac72f6005d637306b33b0488d6d8021ae7c1a7198270e033185a522a

SHA512
83508e5274431119bcd584e9a4b7f67465e015cfb54e2e91e151a85ff4cd7c4be82343229d7c5e50a783effe7d37e56058301025d03583201c78b1cd5482cfee

Download Submit
C:\Windows\debug\Idle.exe

Filesize
1.7MB

MD5
de43324cad2ebe108458caf8de4eabef

SHA1
93381d69b456de01bace2beca5aeac1e0e0f4788

SHA256
2d9189035732c702e414db46a80f53fe141fd426acfad1c6becd6bca8ac6d4dd

SHA512
c72ce9f2a894d8abb65ecee02e77f379dd40cce577a9a58561777b6e71115bc18b81fb4a26ea455d21c2a6760a037d776a23ccf098e62a33032f159683f5068c

Download Submit
memory/2552-418-0x000000001B2D0000-0x000000001B2E2000-memory.dmp

Filesize
72KB

Download
memory/3352-11-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/3352-0-0x00007FFFE0C63000-0x00007FFFE0C65000-memory.dmp

Filesize
8KB

Download
memory/3352-1-0x00000000009F0000-0x0000000000BA6000-memory.dmp

Filesize
1.7MB

Download
memory/3352-22-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/3352-14-0x000000001B9B0000-0x000000001B9BC000-memory.dmp

Filesize
48KB

Download
memory/3352-15-0x000000001B9C0000-0x000000001B9CA000-memory.dmp

Filesize
40KB

Download
memory/3352-16-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

Filesize
32KB

Download
memory/3352-18-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/3352-19-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/3352-17-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/3352-13-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/3352-91-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/3352-10-0x0000000002D30000-0x0000000002D3C000-memory.dmp

Filesize
48KB

Download
memory/3352-9-0x000000001B830000-0x000000001B840000-memory.dmp

Filesize
64KB

Download
memory/3352-5-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

Filesize
32KB

Download
memory/3352-8-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/3352-7-0x0000000002D00000-0x0000000002D16000-memory.dmp

Filesize
88KB

Download
memory/3352-6-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3352-4-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/3352-3-0x0000000002CC0000-0x0000000002CDC000-memory.dmp

Filesize
112KB

Download
memory/3352-2-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/3940-82-0x00000212AFD50000-0x00000212AFD72000-memory.dmp

Filesize
136KB

Download
memory/3952-415-0x000001F8B04B0000-0x000001F8B04FE000-memory.dmp

Filesize
312KB

Download