dcrat | 854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Size

1.7MB
MD5

f2a682c815b566f24cddcaa11469c774
SHA1

9fa7e11c793432e8aebfb2ed67bd3963dd5459ba
SHA256

854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c
SHA512

95d46731c94157862fb2e45c23b5b2bf3e8718366a814f7e3c8270f89ad413f392df430088cffc80996ccab159cace9e18d4ff36ca1b6d0a183b75051f9431ec
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ0:NgwuuEpdDLNwVMeXDL0fdSzAGH

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3876	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3876	schtasks.exe	82

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4544-1-0x00000000008B0000-0x0000000000A66000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca3-29.dat	dcrat
behavioral2/files/0x000c000000023ccd-102.dat	dcrat
behavioral2/files/0x0009000000023c9f-113.dat	dcrat
behavioral2/files/0x0009000000023ca3-124.dat	dcrat
behavioral2/files/0x000a000000023ca9-170.dat	dcrat
behavioral2/files/0x000b000000023cad-194.dat	dcrat
behavioral2/memory/4100-379-0x0000000000130000-0x00000000002E6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
4688	powershell.exe
4060	powershell.exe
3912	powershell.exe
3644	powershell.exe
3872	powershell.exe
3004	powershell.exe
1084	powershell.exe
1544	powershell.exe
2444	powershell.exe
3860	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 2 IoCs

pid	Process
4100	dwm.exe
4580	dwm.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXC17D.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\69ddcba757bf72	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\55b276f4edf653	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC393.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\dllhost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TextInputHost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXCABD.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXCCC2.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXDAC8.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Crashpad\attachments\System.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE240.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE241.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Crashpad\attachments\27d1bcfc3c54e0	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXC17E.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC392.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXCD30.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Crashpad\attachments\System.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXDB37.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\winlogon.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXCA3F.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\22eafd247d37c3	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TextInputHost.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\RuntimeBroker.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\Cursors\9e8d7a4ca61bd9	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\INF\LSM\System.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\INF\LSM\27d1bcfc3c54e0	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\INF\LSM\RCXDD3B.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\uk-UA\services.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\Cursors\RCXD8C3.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\Cursors\RCXD8C4.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\Cursors\RuntimeBroker.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\INF\LSM\RCXDD3C.tmp	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
File opened for modification	C:\Windows\INF\LSM\System.exe	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3080	schtasks.exe
4692	schtasks.exe
2300	schtasks.exe
4912	schtasks.exe
3364	schtasks.exe
3556	schtasks.exe
4508	schtasks.exe
2584	schtasks.exe
2824	schtasks.exe
232	schtasks.exe
3220	schtasks.exe
3128	schtasks.exe
3472	schtasks.exe
2832	schtasks.exe
4644	schtasks.exe
468	schtasks.exe
3632	schtasks.exe
1700	schtasks.exe
3860	schtasks.exe
4064	schtasks.exe
1376	schtasks.exe
2188	schtasks.exe
3648	schtasks.exe
3232	schtasks.exe
4972	schtasks.exe
1816	schtasks.exe
2996	schtasks.exe
3612	schtasks.exe
1028	schtasks.exe
1372	schtasks.exe
404	schtasks.exe
804	schtasks.exe
1108	schtasks.exe
1520	schtasks.exe
4588	schtasks.exe
1556	schtasks.exe
4564	schtasks.exe
4896	schtasks.exe
1536	schtasks.exe
2664	schtasks.exe
4532	schtasks.exe
1908	schtasks.exe
5032	schtasks.exe
2280	schtasks.exe
4884	schtasks.exe
1200	schtasks.exe
4428	schtasks.exe
2388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	4100	dwm.exe
Token: SeDebugPrivilege	4580	dwm.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 1544	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	131
PID 4544 wrote to memory of 1544	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	131
PID 4544 wrote to memory of 3644	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	132
PID 4544 wrote to memory of 3644	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	132
PID 4544 wrote to memory of 1084	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	133
PID 4544 wrote to memory of 1084	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	133
PID 4544 wrote to memory of 3860	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	134
PID 4544 wrote to memory of 3860	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	134
PID 4544 wrote to memory of 3004	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	135
PID 4544 wrote to memory of 3004	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	135
PID 4544 wrote to memory of 3872	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	136
PID 4544 wrote to memory of 3872	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	136
PID 4544 wrote to memory of 2444	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	138
PID 4544 wrote to memory of 2444	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	138
PID 4544 wrote to memory of 2340	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	139
PID 4544 wrote to memory of 2340	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	139
PID 4544 wrote to memory of 4688	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	140
PID 4544 wrote to memory of 4688	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	140
PID 4544 wrote to memory of 4060	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	141
PID 4544 wrote to memory of 4060	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	141
PID 4544 wrote to memory of 3912	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	142
PID 4544 wrote to memory of 3912	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	142
PID 4544 wrote to memory of 2336	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	152
PID 4544 wrote to memory of 2336	4544	854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe	152
PID 2336 wrote to memory of 4312	2336	cmd.exe	155
PID 2336 wrote to memory of 4312	2336	cmd.exe	155
PID 2336 wrote to memory of 4100	2336	cmd.exe	159
PID 2336 wrote to memory of 4100	2336	cmd.exe	159
PID 4100 wrote to memory of 5048	4100	dwm.exe	160
PID 4100 wrote to memory of 5048	4100	dwm.exe	160
PID 4100 wrote to memory of 2344	4100	dwm.exe	161
PID 4100 wrote to memory of 2344	4100	dwm.exe	161
PID 5048 wrote to memory of 4580	5048	WScript.exe	165
PID 5048 wrote to memory of 4580	5048	WScript.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe
"C:\Users\Admin\AppData\Local\Temp\854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qQ3Z8m6myP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4312
- - C:\Recovery\WindowsRE\dwm.exe
    "C:\Recovery\WindowsRE\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec53bdd-f1fb-4c4c-8126-56f1cda7d34a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Recovery\WindowsRE\dwm.exe
        
        C:\Recovery\WindowsRE\dwm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df409b2e-f947-4f57-9388-780120601c57.vbs"
      4⤵
      PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\LSM\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\INF\LSM\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\LSM\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TextInputHost.exe

Filesize
1.7MB

MD5
2dd6bd85f438ecea53c2c95c7a7e7722

SHA1
4d8d11927cde50f0e10b1a9c0e701b340a1172f9

SHA256
45489d295dc620f1904904f0590a81a6164edc03b6c3f948e5feab9d414e534b

SHA512
113a130124a92e219786162644ae9f458607219671f016c8a266f6f15830feaa9f660095aefdd5b6c60857ed4fec584561c0b80d4595d4fdd047497c7fcbe12b

Download Submit
C:\Program Files\Crashpad\attachments\System.exe

Filesize
1.7MB

MD5
e8280bb894d9ca83a09df0ab0f3f1e2a

SHA1
34579b89a256f22d64a4cb5f06598622dee10b46

SHA256
f9df9e093cbe21b16a5106bef1b0ea7a003e9c3e358fba4f60eeeb53935381f9

SHA512
06fb327001cd0b66a12de5cad61e6110689b6f75c037dfec646298e200244e666d84e5a50c67c606b6aff38e6d31a4ae89e93f5bc64870b3081fa19e372fa259

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
f2a682c815b566f24cddcaa11469c774

SHA1
9fa7e11c793432e8aebfb2ed67bd3963dd5459ba

SHA256
854533e8d0bbf39a16975738f7d10dc32f776ad5a35963fc823796f5f780d41c

SHA512
95d46731c94157862fb2e45c23b5b2bf3e8718366a814f7e3c8270f89ad413f392df430088cffc80996ccab159cace9e18d4ff36ca1b6d0a183b75051f9431ec

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
a25649688ee4eba63cfae70a7eb5d4f3

SHA1
94484a46a190e4b10180dff9052ea24e0cdd579d

SHA256
7f9803b653217afa2b264fa4130706c719ca46d624b218dfd9eed4ee63d9b373

SHA512
38d01f71fad02d872151dd54a1acd1b9110807ef578bbffd020baa88d72d38f2393f5508b5861ecca3313bd853ba70c05d2ee28f0c28303a7fced6ef8bfcc297

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
1.7MB

MD5
72ba21b84c838c6292c9f0915a9de57e

SHA1
007bc288a59fe57dc6f2c9f67b94fb5dc363d6e2

SHA256
9a9afb502507658a3fb0053901f126ce00f64de849518d7d32a7f66b5c0b4b71

SHA512
7a0077daa622506a09bb5706b7a4619dfcf8e9d374c70a21d84acf2a1d4f569da97841321d38407ce1e21861da6b6af8c73920567cc5e5d88455c7f860deb470

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
1.7MB

MD5
e5aaa7dd72f6a73c414f73da79f84be1

SHA1
3b7fa296afd868c3590429f65ca99690a047a43e

SHA256
070719ac248f6a3421e8809c7e51c1d367c82aeb8e4fdbce53ff4f33866efe5b

SHA512
7a3f20abb77c7e2b3d78c30cd598de293cc93400c908b11a5447f84f337ff80ec1515a20ed859526da2109f988a90474ae4bee812b5052482378ad5a20cc3c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jl1ifiux.s5g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\df409b2e-f947-4f57-9388-780120601c57.vbs

Filesize
481B

MD5
8a401b6dd13fb2d60c05a8ac4cea4364

SHA1
497b929a07135a873af3ceccc8eba0b003c70c06

SHA256
50874fe8cfb64f3cd9a341c2b2dda0749164fafd79078c1558ac70b3a7446498

SHA512
4b02c6f50c3a75d02d158efe7ec5d5ecb0ab342f3de4c45b4da4f8ba4222f1a0b149080248e93b7137dc36b6d1ba909f6b74638cd35a4ba56e3e11f0a056dc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fec53bdd-f1fb-4c4c-8126-56f1cda7d34a.vbs

Filesize
705B

MD5
f512688f73e1fffc163c141ac819ee18

SHA1
f888754dfff64e49ef753dd122eba93f131d461a

SHA256
ad51624d1eff61bb04d59cd59840d55c12a34cabc07172cac25a625db011feeb

SHA512
8639c91ae6a8401e00896b01aa8ba9bcd9affbbe9abffd15f9d2b46eeb6b37adc4601b1a668fe7e02fd7c3e306450b5150cd9f7c256a7f56ddfda695922665ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQ3Z8m6myP.bat

Filesize
194B

MD5
6a4bbece50db860bcbaf94c4c0426b84

SHA1
109aecc664565beef81621de0ad18eb2768a5654

SHA256
900ac14a887cc724aab3094f975bceac67a2c620ed38626f29a065f18653e67e

SHA512
126e48ec2d6538cf10e564d2bfd4182f0c42d783456fda63c41a4ceabbaacfcf5aa54625d19bb1107fbbc0a0ffd8775566d1e3c4698fc32a0aaca31f0026b587

Download Submit
memory/3644-260-0x000001BA31DF0000-0x000001BA31E12000-memory.dmp

Filesize
136KB

Download
memory/4100-379-0x0000000000130000-0x00000000002E6000-memory.dmp

Filesize
1.7MB

Download
memory/4544-288-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-17-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/4544-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4544-10-0x000000001B5E0000-0x000000001B5EC000-memory.dmp

Filesize
48KB

Download
memory/4544-161-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4544-14-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

Filesize
48KB

Download
memory/4544-185-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-13-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/4544-208-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-220-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-18-0x000000001C100000-0x000000001C10C000-memory.dmp

Filesize
48KB

Download
memory/4544-11-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

Filesize
32KB

Download
memory/4544-19-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-15-0x000000001C080000-0x000000001C08A000-memory.dmp

Filesize
40KB

Download
memory/4544-16-0x000000001C090000-0x000000001C098000-memory.dmp

Filesize
32KB

Download
memory/4544-9-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/4544-8-0x000000001B5C0000-0x000000001B5D2000-memory.dmp

Filesize
72KB

Download
memory/4544-7-0x000000001B5A0000-0x000000001B5B6000-memory.dmp

Filesize
88KB

Download
memory/4544-5-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/4544-6-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/4544-4-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/4544-22-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-3-0x0000000001240000-0x000000000125C000-memory.dmp

Filesize
112KB

Download
memory/4544-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4544-1-0x00000000008B0000-0x0000000000A66000-memory.dmp

Filesize
1.7MB

Download
memory/4580-392-0x000000001B9D0000-0x000000001B9E2000-memory.dmp

Filesize
72KB

Download