dcrat | 854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Size

1.7MB
MD5

f2a682c815b566f24cddcaa11469c774
SHA1

9fa7e11c793432e8aebfb2ed67bd3963dd5459ba
SHA256

854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c
SHA512

95d46731c94157862fb2e45c23b5b2bf3e8718366a814f7e3c8270f89ad413f392df430088cffc80996ccab159cace9e18d4ff36ca1b6d0a183b75051f9431ec
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ0:NgwuuEpdDLNwVMeXDL0fdSzAGH

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3024	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3024	schtasks.exe	82

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/692-1-0x0000000000770000-0x0000000000926000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b8d-29.dat	dcrat
behavioral2/files/0x000d000000023b74-72.dat	dcrat
behavioral2/files/0x000b000000023b91-120.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1748	powershell.exe
2452	powershell.exe
3816	powershell.exe
3964	powershell.exe
3436	powershell.exe
2236	powershell.exe
3092	powershell.exe
4880	powershell.exe
712	powershell.exe
2348	powershell.exe
4080	powershell.exe
5072	powershell.exe
1152	powershell.exe
2024	powershell.exe
4444	powershell.exe
3892	powershell.exe
3860	powershell.exe
708	powershell.exe
2396	powershell.exe
4608	powershell.exe
392	powershell.exe
4772	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 3 IoCs

pid	Process
2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4468	unsecapp.exe
1564	unsecapp.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\29c1c3cc0f7685	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX9602.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\7a0fd90576e088	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Windows Mail\unsecapp.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\sihost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX8D71.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\explorer.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Windows Mail\29c1c3cc0f7685	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX91EA.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\sihost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\5940a34987c991	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\66fc9ff0ee96c2	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX8DDF.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\explorer.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX91EB.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX9603.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Windows Mail\unsecapp.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\services.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\RemotePackages\RemoteApps\c5b4cb5e9653cc	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\services.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\DigitalLocker\dllhost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\DigitalLocker\5940a34987c991	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\DigitalLocker\RCX8AEE.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\DigitalLocker\RCX8AEF.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\DigitalLocker\dllhost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
724	schtasks.exe
4744	schtasks.exe
4680	schtasks.exe
1660	schtasks.exe
4144	schtasks.exe
3728	schtasks.exe
4992	schtasks.exe
5108	schtasks.exe
3452	schtasks.exe
1356	schtasks.exe
452	schtasks.exe
3300	schtasks.exe
4612	schtasks.exe
1644	schtasks.exe
2204	schtasks.exe
1388	schtasks.exe
2780	schtasks.exe
4108	schtasks.exe
3916	schtasks.exe
1132	schtasks.exe
4192	schtasks.exe
3924	schtasks.exe
1604	schtasks.exe
656	schtasks.exe
2816	schtasks.exe
2964	schtasks.exe
972	schtasks.exe
2364	schtasks.exe
760	schtasks.exe
5116	schtasks.exe
4072	schtasks.exe
4996	schtasks.exe
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4880	powershell.exe
4880	powershell.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
3816	powershell.exe
3816	powershell.exe
4772	powershell.exe
4772	powershell.exe
712	powershell.exe
712	powershell.exe
1748	powershell.exe
1748	powershell.exe
3860	powershell.exe
3860	powershell.exe
3892	powershell.exe
3892	powershell.exe
2452	powershell.exe
2452	powershell.exe
3816	powershell.exe
3436	powershell.exe
3436	powershell.exe
2024	powershell.exe
2024	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
2024	powershell.exe
4880	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4468	unsecapp.exe
Token: SeDebugPrivilege	1564	unsecapp.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 4880	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	110
PID 692 wrote to memory of 4880	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	110
PID 692 wrote to memory of 4772	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	111
PID 692 wrote to memory of 4772	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	111
PID 692 wrote to memory of 3964	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	112
PID 692 wrote to memory of 3964	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	112
PID 692 wrote to memory of 3816	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	113
PID 692 wrote to memory of 3816	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	113
PID 692 wrote to memory of 1748	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	114
PID 692 wrote to memory of 1748	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	114
PID 692 wrote to memory of 3860	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	115
PID 692 wrote to memory of 3860	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	115
PID 692 wrote to memory of 2024	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	116
PID 692 wrote to memory of 2024	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	116
PID 692 wrote to memory of 3892	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	117
PID 692 wrote to memory of 3892	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	117
PID 692 wrote to memory of 2452	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	122
PID 692 wrote to memory of 2452	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	122
PID 692 wrote to memory of 3436	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	126
PID 692 wrote to memory of 3436	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	126
PID 692 wrote to memory of 712	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	127
PID 692 wrote to memory of 712	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	127
PID 692 wrote to memory of 4048	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	132
PID 692 wrote to memory of 4048	692	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	132
PID 4048 wrote to memory of 2228	4048	cmd.exe	135
PID 4048 wrote to memory of 2228	4048	cmd.exe	135
PID 4048 wrote to memory of 2832	4048	cmd.exe	138
PID 4048 wrote to memory of 2832	4048	cmd.exe	138
PID 2832 wrote to memory of 2236	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	148
PID 2832 wrote to memory of 2236	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	148
PID 2832 wrote to memory of 708	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	149
PID 2832 wrote to memory of 708	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	149
PID 2832 wrote to memory of 2396	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	150
PID 2832 wrote to memory of 2396	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	150
PID 2832 wrote to memory of 2348	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	151
PID 2832 wrote to memory of 2348	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	151
PID 2832 wrote to memory of 4080	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	152
PID 2832 wrote to memory of 4080	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	152
PID 2832 wrote to memory of 5072	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	153
PID 2832 wrote to memory of 5072	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	153
PID 2832 wrote to memory of 1152	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	154
PID 2832 wrote to memory of 1152	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	154
PID 2832 wrote to memory of 4608	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	155
PID 2832 wrote to memory of 4608	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	155
PID 2832 wrote to memory of 4444	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	156
PID 2832 wrote to memory of 4444	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	156
PID 2832 wrote to memory of 3092	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	157
PID 2832 wrote to memory of 3092	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	157
PID 2832 wrote to memory of 392	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	158
PID 2832 wrote to memory of 392	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	158
PID 2832 wrote to memory of 4468	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	170
PID 2832 wrote to memory of 4468	2832	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	170
PID 4468 wrote to memory of 2012	4468	unsecapp.exe	171
PID 4468 wrote to memory of 2012	4468	unsecapp.exe	171
PID 4468 wrote to memory of 5004	4468	unsecapp.exe	172
PID 4468 wrote to memory of 5004	4468	unsecapp.exe	172
PID 2012 wrote to memory of 1564	2012	WScript.exe	173
PID 2012 wrote to memory of 1564	2012	WScript.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
"C:\Users\Admin\AppData\Local\Temp\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjVk2zv8Jg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
    "C:\Users\Admin\AppData\Local\Temp\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:392
  - - C:\Program Files\Windows Mail\unsecapp.exe
      "C:\Program Files\Windows Mail\unsecapp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70ff56cb-ccfe-4bbd-9922-1438d0a89188.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Program Files\Windows Mail\unsecapp.exe
        
        "C:\Program Files\Windows Mail\unsecapp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444b120f-89c9-489a-92f9-d1fc73fe27b2.vbs"
        5⤵
        
        PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Local\History\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\History\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\History\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe

Filesize
1.7MB

MD5
f2a682c815b566f24cddcaa11469c774

SHA1
9fa7e11c793432e8aebfb2ed67bd3963dd5459ba

SHA256
854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c

SHA512
95d46731c94157862fb2e45c23b5b2bf3e8718366a814f7e3c8270f89ad413f392df430088cffc80996ccab159cace9e18d4ff36ca1b6d0a183b75051f9431ec

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe

Filesize
1.7MB

MD5
8ad6dba991265e02b20967b581fe0018

SHA1
9866e901b218ffdc0d050ffeb8b8f62a0abe44f8

SHA256
cdb6150d72a5f2f21cf1f097a9242571ece65f5bec16ad036edc2a7804e3e240

SHA512
be59e9cb2089846e6e6fbdcae11a6643b744ece93039d599cb0a5a0c27d026dfe6ef457db1849e17ad203f222b63de97c921b98375132286beeb4fe5b622b9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d7e01f2da5faf06203d0bdcf32f2aee

SHA1
972128bc0896422301531607773f6af989535547

SHA256
57df11f5726f22f6b65380a63c6ddeeced49bd543781cf05428932500c6e2cef

SHA512
2d446d1ed39875581a11fc433c9fd13c7b5ad4133c50f93cfc18e355339c1dd8937058864250c9e3d659049f4feb8cf8e1ce3fd90716eb5c9b8cd309b9ccc16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Temp\444b120f-89c9-489a-92f9-d1fc73fe27b2.vbs

Filesize
494B

MD5
3d24dbaf333fd76a2f60839be32d576f

SHA1
5e97f2d741db4e7ddd3c9f5defca3a896e49e8e4

SHA256
94727e218103e78700263f04e62e3cd359ef4c85e3957cbee189f3296b502e32

SHA512
edfd08118f9d0233b04437ffff456ec5b4067f0a2cb9d1da8e78d327aca1e6eaadd5c3cd79901018600a70ab79739f688aeea6dd0c45bed0f67f926b4a35965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70ff56cb-ccfe-4bbd-9922-1438d0a89188.vbs

Filesize
718B

MD5
1b3d10b286e93cd79af12b54cea7b730

SHA1
ca468ea2e6834efc57ff4ab94388a1444f7b7298

SHA256
0678afb9560f6ccca3a46291f1b61e2cff6916549277c89522722d4f218e9757

SHA512
93fe814f9888d46c0dabce17985c18ae95876073d60edd7f159b3f456fbde461298623b6f0e6d99b371b2b342ff1074bacd942a946890724dcf4a3fc2807971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a11zos1o.jqj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjVk2zv8Jg.bat

Filesize
267B

MD5
849d6f5b45217eecded9af6077ff7a5c

SHA1
333d12f08c3a270145b094701e8f5d935093e9e9

SHA256
358819beecc4d310db053a8500375a458edc9b9a1c35223c16d5090723f0cc8e

SHA512
00e8f38061b6f46d7cafde083bb8771dd309b29bcc04d2aadd2de18417837a77328ae66ce51c380a6ab4ba9effe8ab2b1f32785732945690848a52ba638890c0

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\History\csrss.exe

Filesize
1.7MB

MD5
7cd293ba644559b10548639885e41418

SHA1
d3a1ecae4eff3a31d4b28911635418b0d2fc8100

SHA256
560051c9e307ef484baac0b0a83a497a268bfe9ffc93cf086a1e3aa7ad42f8e0

SHA512
d2bf16d0f926388ac50c8b680ce948ec021ae20c70b01a46ab826a130b49d379f1c11b4b108a6897611ab0cb83b46bb54f733218ab8503ef2880aa332e63c1d9

Download Submit
memory/692-13-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

Filesize
48KB

Download
memory/692-10-0x000000001B490000-0x000000001B49C000-memory.dmp

Filesize
48KB

Download
memory/692-1-0x0000000000770000-0x0000000000926000-memory.dmp

Filesize
1.7MB

Download
memory/692-22-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

Filesize
10.8MB

Download
memory/692-203-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

Filesize
10.8MB

Download
memory/692-21-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

Filesize
10.8MB

Download
memory/692-18-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/692-14-0x000000001B4D0000-0x000000001B4DC000-memory.dmp

Filesize
48KB

Download
memory/692-16-0x000000001BE60000-0x000000001BE68000-memory.dmp

Filesize
32KB

Download
memory/692-17-0x000000001BF70000-0x000000001BF7C000-memory.dmp

Filesize
48KB

Download
memory/692-15-0x000000001B640000-0x000000001B64A000-memory.dmp

Filesize
40KB

Download
memory/692-0-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

Filesize
8KB

Download
memory/692-11-0x000000001B4B0000-0x000000001B4B8000-memory.dmp

Filesize
32KB

Download
memory/692-128-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

Filesize
8KB

Download
memory/692-9-0x000000001B4A0000-0x000000001B4B0000-memory.dmp

Filesize
64KB

Download
memory/692-2-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

Filesize
10.8MB

Download
memory/692-3-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/692-8-0x0000000002B40000-0x0000000002B52000-memory.dmp

Filesize
72KB

Download
memory/692-7-0x000000001B470000-0x000000001B486000-memory.dmp

Filesize
88KB

Download
memory/692-5-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/692-6-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/692-4-0x000000001B5F0000-0x000000001B640000-memory.dmp

Filesize
320KB

Download
memory/1564-462-0x0000000002C60000-0x0000000002C72000-memory.dmp

Filesize
72KB

Download
memory/2832-257-0x0000000002EF0000-0x0000000002F02000-memory.dmp

Filesize
72KB

Download
memory/3816-129-0x0000021168B80000-0x0000021168BA2000-memory.dmp

Filesize
136KB

Download
memory/4468-428-0x000000001B350000-0x000000001B362000-memory.dmp

Filesize
72KB

Download