dcrat | 5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Size

1.7MB
MD5

f59ecdbcab34fe5159a7d218e5a65f40
SHA1

36b1e99369d6a2199fccddcb0c9a0f08f7ac9ef8
SHA256

5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7
SHA512

9ee5e476d561d0f8b4a3b94c9ee215411f19987c4dadbc76521cb6190a3d412f606d1eb3339c38fd83a1a50d95f7b916c8e7a5a14d0b1127d4276dfa29d76cc4
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3660	schtasks.exe	83

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4044-1-0x00000000001E0000-0x00000000003A0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b9e-30.dat	dcrat
behavioral2/files/0x000300000001e75d-190.dat	dcrat
behavioral2/files/0x0015000000023bce-218.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3876	powershell.exe
1892	powershell.exe
680	powershell.exe
2728	powershell.exe
1932	powershell.exe
116	powershell.exe
1300	powershell.exe
4160	powershell.exe
4316	powershell.exe
3824	powershell.exe
3016	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Executes dropped EXE 7 IoCs

pid	Process
4880	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
2508	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
1480	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4436	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
1712	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
3868	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
3792	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\smss.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files (x86)\Common Files\sihost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Java\jdk-1.8\smss.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\sysmon.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX8CA3.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\RCX9D4C.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Java\RCX9F61.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sysmon.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Windows Mail\StartMenuExperienceHost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Windows Security\RuntimeBroker.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXA880.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Windows Mail\55b276f4edf653	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Windows Security\RuntimeBroker.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Windows Security\9e8d7a4ca61bd9	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Reference Assemblies\dllhost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Reference Assemblies\dllhost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCX9B37.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files (x86)\Common Files\66fc9ff0ee96c2	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Java\jdk-1.8\69ddcba757bf72	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Windows Mail\StartMenuExperienceHost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX8CA2.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCX9B38.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXA1F4.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Java\22eafd247d37c3	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Windows Security\RCXA3FA.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\121e5b5079f7c0	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Java\TextInputHost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Java\RCX9F62.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Java\TextInputHost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Windows Security\RCXA3F9.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXA812.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files (x86)\Common Files\sihost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Program Files\Reference Assemblies\5940a34987c991	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\RCX9D4D.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXA176.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX8EA7.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\Setup\sihost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\es-ES\RCXAF0D.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\Setup\RCX9922.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\GameBarPresenceWriter\sihost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\GameBarPresenceWriter\66fc9ff0ee96c2	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\Setup\sihost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\Speech\Engines\SR\fr-FR\MusNotification.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\sihost.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\Setup\RCX9921.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\es-ES\dwm.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\Setup\66fc9ff0ee96c2	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\es-ES\dwm.exe	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File created	C:\Windows\es-ES\6cb0b6c459d5d3	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX8EB8.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
File opened for modification	C:\Windows\es-ES\RCXAF0E.tmp	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3892	schtasks.exe
5020	schtasks.exe
3136	schtasks.exe
4104	schtasks.exe
512	schtasks.exe
1700	schtasks.exe
3192	schtasks.exe
2952	schtasks.exe
3140	schtasks.exe
4856	schtasks.exe
3608	schtasks.exe
2844	schtasks.exe
3204	schtasks.exe
4820	schtasks.exe
3304	schtasks.exe
1964	schtasks.exe
3508	schtasks.exe
4076	schtasks.exe
4796	schtasks.exe
1400	schtasks.exe
5004	schtasks.exe
3208	schtasks.exe
3244	schtasks.exe
4824	schtasks.exe
4256	schtasks.exe
2176	schtasks.exe
1548	schtasks.exe
4516	schtasks.exe
3964	schtasks.exe
548	schtasks.exe
2376	schtasks.exe
400	schtasks.exe
2572	schtasks.exe
4704	schtasks.exe
3260	schtasks.exe
1568	schtasks.exe
3452	schtasks.exe
2480	schtasks.exe
2796	schtasks.exe
3488	schtasks.exe
1444	schtasks.exe
4860	schtasks.exe
3548	schtasks.exe
3040	schtasks.exe
5116	schtasks.exe
536	schtasks.exe
3544	schtasks.exe
4572	schtasks.exe
2780	schtasks.exe
1684	schtasks.exe
2920	schtasks.exe
4596	schtasks.exe
4784	schtasks.exe
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	4880	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	2508	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	1480	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	4436	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	1712	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	3868	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
Token: SeDebugPrivilege	3792	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3016	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	142
PID 4044 wrote to memory of 3016	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	142
PID 4044 wrote to memory of 1932	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	143
PID 4044 wrote to memory of 1932	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	143
PID 4044 wrote to memory of 116	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	144
PID 4044 wrote to memory of 116	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	144
PID 4044 wrote to memory of 3876	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	145
PID 4044 wrote to memory of 3876	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	145
PID 4044 wrote to memory of 1300	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	146
PID 4044 wrote to memory of 1300	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	146
PID 4044 wrote to memory of 4160	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	147
PID 4044 wrote to memory of 4160	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	147
PID 4044 wrote to memory of 4316	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	148
PID 4044 wrote to memory of 4316	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	148
PID 4044 wrote to memory of 1892	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	149
PID 4044 wrote to memory of 1892	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	149
PID 4044 wrote to memory of 3824	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	150
PID 4044 wrote to memory of 3824	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	150
PID 4044 wrote to memory of 680	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	151
PID 4044 wrote to memory of 680	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	151
PID 4044 wrote to memory of 2728	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	152
PID 4044 wrote to memory of 2728	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	152
PID 4044 wrote to memory of 2884	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	164
PID 4044 wrote to memory of 2884	4044	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	164
PID 2884 wrote to memory of 5028	2884	cmd.exe	166
PID 2884 wrote to memory of 5028	2884	cmd.exe	166
PID 2884 wrote to memory of 4880	2884	cmd.exe	173
PID 2884 wrote to memory of 4880	2884	cmd.exe	173
PID 4880 wrote to memory of 4852	4880	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	175
PID 4880 wrote to memory of 4852	4880	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	175
PID 4880 wrote to memory of 4080	4880	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	176
PID 4880 wrote to memory of 4080	4880	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	176
PID 4852 wrote to memory of 2508	4852	WScript.exe	180
PID 4852 wrote to memory of 2508	4852	WScript.exe	180
PID 2508 wrote to memory of 3124	2508	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	183
PID 2508 wrote to memory of 3124	2508	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	183
PID 2508 wrote to memory of 1708	2508	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	184
PID 2508 wrote to memory of 1708	2508	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	184
PID 3124 wrote to memory of 1480	3124	WScript.exe	185
PID 3124 wrote to memory of 1480	3124	WScript.exe	185
PID 1480 wrote to memory of 640	1480	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	187
PID 1480 wrote to memory of 640	1480	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	187
PID 1480 wrote to memory of 4948	1480	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	188
PID 1480 wrote to memory of 4948	1480	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	188
PID 640 wrote to memory of 4436	640	WScript.exe	189
PID 640 wrote to memory of 4436	640	WScript.exe	189
PID 4436 wrote to memory of 4896	4436	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	191
PID 4436 wrote to memory of 4896	4436	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	191
PID 4436 wrote to memory of 2584	4436	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	192
PID 4436 wrote to memory of 2584	4436	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	192
PID 4896 wrote to memory of 1712	4896	WScript.exe	194
PID 4896 wrote to memory of 1712	4896	WScript.exe	194
PID 1712 wrote to memory of 1624	1712	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	196
PID 1712 wrote to memory of 1624	1712	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	196
PID 1712 wrote to memory of 876	1712	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	197
PID 1712 wrote to memory of 876	1712	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	197
PID 1624 wrote to memory of 3868	1624	WScript.exe	198
PID 1624 wrote to memory of 3868	1624	WScript.exe	198
PID 3868 wrote to memory of 2012	3868	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	200
PID 3868 wrote to memory of 2012	3868	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	200
PID 3868 wrote to memory of 5012	3868	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	201
PID 3868 wrote to memory of 5012	3868	5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe	201
PID 2012 wrote to memory of 3792	2012	WScript.exe	202
PID 2012 wrote to memory of 3792	2012	WScript.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
"C:\Users\Admin\AppData\Local\Temp\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\40iwpY0nJ9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5028
- - C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
    "C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3156469c-1e95-4ea2-92f7-f8118e841090.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735a0fe9-7995-42b8-8bec-91550b69168d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed71c598-f000-4a87-b09f-f42b31dfa59f.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f618964-d7c9-4d02-bc0d-d11e8e5cc083.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67dfe054-c5f5-481d-ae8b-150ed28a993b.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eee7403-9905-464b-b96e-c360089a74f5.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        
        C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\708ab6e6-77dc-45b3-9f58-87ebb969c19e.vbs"
        16⤵
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85933847-e538-4dfb-bb28-254834787be7.vbs"
        16⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c548cde-9680-4b23-bc28-9150162fea8d.vbs"
        14⤵
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e25210a3-00af-40f2-b32b-06580452bf5f.vbs"
        12⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c359cc1-6de7-4d1f-b118-2eb91f680581.vbs"
        10⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3208237-8fdb-4bf7-bc52-9d7ae81239a0.vbs"
        8⤵
        
        PID:4948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80fd8cc4-da8c-49e9-8b48-ab3b27646b47.vbs"
        6⤵
        
        PID:1708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3241b218-cc4b-47bd-be2c-d0abe8a47901.vbs"
      4⤵
      PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N5" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N5" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk-1.8\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Java\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N5" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N5" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\dllhost.exe

Filesize
1.7MB

MD5
bde0d9af3a89271f5ab636791fc4ff25

SHA1
5f9e0ee2c0d204346784e323e73103b00d7643d2

SHA256
2366bdaa073f469c3e4792a56afa7803e03a991dede04c1a3820fb1b06192da1

SHA512
08d2be6a6ceda102cb63e0086dbfb0bed9a4e24bc15d7d0ec77c460ff2eb7d06ea9996a0bc2de099001c4dc7ee3996a46579d6121aa03d4796596af26c5d1d58

Download Submit
C:\Program Files\Windows Mail\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
738c3deba5882706d2ad41e119b81ae5

SHA1
591d7bc6106a0a48894c29991695b10a014d95b7

SHA256
467220bde9274b271a081ff547edc4ae4c3f70a2d9b131977d67f6fc517ccf3d

SHA512
da5300dede886da152aabb5cc631a528fab04a1dd47c76987ea15700fca31a11ebc71ab9fee0d915dd2a6b1fdb830fb7fb64e5348cd53b667c648170dab6b2e9

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.7MB

MD5
f59ecdbcab34fe5159a7d218e5a65f40

SHA1
36b1e99369d6a2199fccddcb0c9a0f08f7ac9ef8

SHA256
5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7

SHA512
9ee5e476d561d0f8b4a3b94c9ee215411f19987c4dadbc76521cb6190a3d412f606d1eb3339c38fd83a1a50d95f7b916c8e7a5a14d0b1127d4276dfa29d76cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f618964-d7c9-4d02-bc0d-d11e8e5cc083.vbs

Filesize
767B

MD5
d767014e1c5140e59cf0b99ae9ae36ea

SHA1
1ec159eb731eb8468a16d942817c9c49ed565c4a

SHA256
0b6b3bc125f4fbfe5000b000b99cd6dc76b9ee511d0c7534de733822cb86aa3e

SHA512
35d0feeedf22884cde3046aed4c210118ffcff74229d32bef6b82710c325969faeb8e007e0a8b22474803cb1411ec2eac490a2fd274c76fe298be16f717ba400

Download Submit
C:\Users\Admin\AppData\Local\Temp\3156469c-1e95-4ea2-92f7-f8118e841090.vbs

Filesize
767B

MD5
46d1a27fc67d5038b783c7f5baf7b7b0

SHA1
e196b78e2a67a42fb6cc29627cc2439eebeb5d56

SHA256
37c5c4d7710302e219b19189979e09fa358bd7ba6bfa06494704b53b2de34d90

SHA512
6e1c2f034197046e7c8aae5bfe08e479c6acd33861618d831d52461dc6c2bffeda057053d95bf6eb57e1b060efb6740fe73f98bf123396c0ddadd0d478c27b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3241b218-cc4b-47bd-be2c-d0abe8a47901.vbs

Filesize
543B

MD5
bf79777322e1f9e3d24e5a74425daba2

SHA1
a61c965107bb92474d25d817929624ca6503e87f

SHA256
3721889849dab35d6a665d2f217abec0964f522b39c41e7ec025a22f7229891d

SHA512
628a51cf13049938f9c02f780e5b012222a29871a8135c18d589b4c82e65c4aaf28c19be46e602398c5fb8fae542b245272235bba2994c737924857b988ffa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\3eee7403-9905-464b-b96e-c360089a74f5.vbs

Filesize
767B

MD5
63141612a15894c01ce929d0a7360868

SHA1
eb9abbad2516e824ca10538f2d0b03a0599c259d

SHA256
b40eae73df935f36c6c1c4027a4e0e9036b96b4e3f3288d435236750f4fb5e2f

SHA512
b242057a83d4c8f883564e4346883d9063980eea40a140b71d7a17ccd6185efc5b4fde3447a8b21a0e13b0a3ab57eda8e0e05f2ab075065ca96c7b72be631479

Download Submit
C:\Users\Admin\AppData\Local\Temp\40iwpY0nJ9.bat

Filesize
256B

MD5
f66b42f523b88aef3661d6ac5c476455

SHA1
57ea407873ef6eb79c55ae942be21bc828c2fd21

SHA256
8028fb878b7031c3369f6fa180e8648b3d8c2d975f3bf9f22545620ba20f8e1f

SHA512
2b2bffc0b091e54c89014b2359a461afee9fa38dae5c3b4cd9495a1d76d53956232d133f5fbb068c65856de48265fb61f6b28d5ec3053c0ce4fd667b5092736f

Download Submit
C:\Users\Admin\AppData\Local\Temp\67dfe054-c5f5-481d-ae8b-150ed28a993b.vbs

Filesize
767B

MD5
b56865edbd83babbb3e749e9ba0d3858

SHA1
a240ef098b14d3325b4a8f903faf879a8a0040fd

SHA256
0e2903950242e98d06ce2de47cd17af23dcf5dbe0c410d3460bb8bf96834e8ed

SHA512
5ee66418e5fd7b4362b4d0d32b8c67eff56c8c4d93e4518fe857a8a6a1653cd4175a7575bdab07940f0478892282583196fb48ab26e96e7f9093b8e2f3db5677

Download Submit
C:\Users\Admin\AppData\Local\Temp\708ab6e6-77dc-45b3-9f58-87ebb969c19e.vbs

Filesize
767B

MD5
3d9197bee1d9d94e0dbaace5465a4405

SHA1
67a1998bb7fe329dd8e03acbad82aa5f7a891273

SHA256
8e34f85b5fdd30d331ec539a4d019ee22eb949baa39313fbec899d5d1801206d

SHA512
ca6dfee039a4f1e5b6fb67f3425abdf022e4a87ca65d97d3e1c3d61bcd822896f7dd3c8ffba20abc5a2ec03db764ed5c0f8a64e3226783990c98ff2012346dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\735a0fe9-7995-42b8-8bec-91550b69168d.vbs

Filesize
767B

MD5
87a6ecdc88e99353ab63690d155b3f33

SHA1
7f7141e70d0cd190c06ddf445c57eba1a26d5b2b

SHA256
de595bb5dfd6276100ebfec9deddea5a6a380657b4a262614e548bad2e644437

SHA512
9f59b78bdd4d830b4cd3de16c3a5874f8ed46a63fd99dc8c300b3f212d03259a5e28a0534959668cbc505f33f3356f90c84482aecf4350e7ea564fd478148909

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxqbeqwn.qq0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed71c598-f000-4a87-b09f-f42b31dfa59f.vbs

Filesize
767B

MD5
e844cfcb182d9fe348c38061d99cf45c

SHA1
b1807ce822cc094a4f40c4dcd5fef6d631e23d95

SHA256
264d9905abebc778122381c46c1bbe7cb5fd21b25e0f444c4ca14d9dabe8bcda

SHA512
5ab4f2a09d19c2da60e04f07ff7109cd8d97e70a5398f661b5aed4a6f1a3da1e9474fd2742a85a2f321bb85ab68a4534fbd6702dff581712deba3fc8e03dce9e

Download Submit
memory/1892-280-0x000001C16E0B0000-0x000001C16E0D2000-memory.dmp

Filesize
136KB

Download
memory/4044-12-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/4044-13-0x000000001BBF0000-0x000000001C118000-memory.dmp

Filesize
5.2MB

Download
memory/4044-23-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-195-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-22-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-229-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-15-0x000000001B7D0000-0x000000001B7DA000-memory.dmp

Filesize
40KB

Download
memory/4044-19-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/4044-295-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-16-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

Filesize
56KB

Download
memory/4044-17-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

Filesize
32KB

Download
memory/4044-18-0x000000001B900000-0x000000001B90C000-memory.dmp

Filesize
48KB

Download
memory/4044-14-0x000000001B6C0000-0x000000001B6CC000-memory.dmp

Filesize
48KB

Download
memory/4044-171-0x00007FFD41BF3000-0x00007FFD41BF5000-memory.dmp

Filesize
8KB

Download
memory/4044-0-0x00007FFD41BF3000-0x00007FFD41BF5000-memory.dmp

Filesize
8KB

Download
memory/4044-10-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/4044-9-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/4044-1-0x00000000001E0000-0x00000000003A0000-memory.dmp

Filesize
1.8MB

Download
memory/4044-6-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4044-7-0x0000000002710000-0x0000000002726000-memory.dmp

Filesize
88KB

Download
memory/4044-8-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4044-5-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/4044-4-0x0000000002740000-0x0000000002790000-memory.dmp

Filesize
320KB

Download
memory/4044-3-0x00000000025B0000-0x00000000025CC000-memory.dmp

Filesize
112KB

Download
memory/4044-2-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-403-0x000000001B370000-0x000000001B382000-memory.dmp

Filesize
72KB

Download