dcrat | 18f98cf70e93f573af35a3f74fc6bf092d249b554336320f6c17a8925c35f8bb

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Size

2.2MB
MD5

50ee114bba99ce3a7ba3e64c0080a644
SHA1

3c9f1189b07b612888a1124714d1586408c78ba0
SHA256

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6
SHA512

58b94a8596d4a94b28da6f0051d90bf098d9def8a112d9541eca814c7b46f5bae619a331831c060eff04f39b62cac1a2ad2a5fe380c75f59aa79322e09a4b64d
SSDEEP

49152:IBJaWLMtwyMxRizAwgueOJNN3lRHiKLWDWUs:yALwyMb9ue0NTH2Ps

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Setup\\State\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Setup\\State\\csrss.exe\", \"C:\\Windows\\Fonts\\Registry.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Setup\\State\\csrss.exe\", \"C:\\Windows\\Fonts\\Registry.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\conhost.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Setup\\State\\csrss.exe\", \"C:\\Windows\\Fonts\\Registry.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Setup\\State\\csrss.exe\", \"C:\\Windows\\Fonts\\Registry.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1200	schtasks.exe	86

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	hyperProviderbrokermonitorNet.exe

Executes dropped EXE 16 IoCs

pid	Process
824	hyperProviderbrokermonitorNet.exe
2308	spoolsv.exe
5076	spoolsv.exe
2044	spoolsv.exe
3680	spoolsv.exe
4548	spoolsv.exe
4288	spoolsv.exe
3560	spoolsv.exe
3328	spoolsv.exe
2708	spoolsv.exe
4128	spoolsv.exe
1832	spoolsv.exe
2976	spoolsv.exe
1012	spoolsv.exe
4536	spoolsv.exe
660	spoolsv.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Setup\\State\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Setup\\State\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Fonts\\Registry.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Fonts\\Registry.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\DigitalLocker\\en-US\\conhost.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\DigitalLocker\\en-US\\conhost.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	hyperProviderbrokermonitorNet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD572DDCC1DD4160A722A97B9C71F53E.TMP	csc.exe
File created	\??\c:\Windows\System32\ljh0xx.exe	csc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Boot\SearchApp.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\DigitalLocker\en-US\conhost.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\DigitalLocker\en-US\088424020bedd6	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\Fonts\Registry.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\Fonts\ee2ad38f3d4382	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\Setup\State\csrss.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	hyperProviderbrokermonitorNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3404	PING.EXE
2228	PING.EXE
3880	PING.EXE
2204	PING.EXE
60	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	hyperProviderbrokermonitorNet.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
3404	PING.EXE
2228	PING.EXE
3880	PING.EXE
2204	PING.EXE
60	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4712	schtasks.exe
384	schtasks.exe
5096	schtasks.exe
4004	schtasks.exe
1380	schtasks.exe
3160	schtasks.exe
660	schtasks.exe
2892	schtasks.exe
3668	schtasks.exe
4092	schtasks.exe
2176	schtasks.exe
3496	schtasks.exe
5020	schtasks.exe
4532	schtasks.exe
3696	schtasks.exe
4152	schtasks.exe
4372	schtasks.exe
744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe
824	hyperProviderbrokermonitorNet.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2308	spoolsv.exe
Token: SeDebugPrivilege	5076	spoolsv.exe
Token: SeDebugPrivilege	2044	spoolsv.exe
Token: SeDebugPrivilege	3680	spoolsv.exe
Token: SeDebugPrivilege	4548	spoolsv.exe
Token: SeDebugPrivilege	4288	spoolsv.exe
Token: SeDebugPrivilege	3560	spoolsv.exe
Token: SeDebugPrivilege	3328	spoolsv.exe
Token: SeDebugPrivilege	2708	spoolsv.exe
Token: SeDebugPrivilege	4128	spoolsv.exe
Token: SeDebugPrivilege	1832	spoolsv.exe
Token: SeDebugPrivilege	2976	spoolsv.exe
Token: SeDebugPrivilege	1012	spoolsv.exe
Token: SeDebugPrivilege	4536	spoolsv.exe
Token: SeDebugPrivilege	660	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4160	2532	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	82
PID 2532 wrote to memory of 4160	2532	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	82
PID 2532 wrote to memory of 4160	2532	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	82
PID 4160 wrote to memory of 3116	4160	WScript.exe	83
PID 4160 wrote to memory of 3116	4160	WScript.exe	83
PID 4160 wrote to memory of 3116	4160	WScript.exe	83
PID 3116 wrote to memory of 824	3116	cmd.exe	85
PID 3116 wrote to memory of 824	3116	cmd.exe	85
PID 824 wrote to memory of 1712	824	hyperProviderbrokermonitorNet.exe	90
PID 824 wrote to memory of 1712	824	hyperProviderbrokermonitorNet.exe	90
PID 1712 wrote to memory of 5080	1712	csc.exe	92
PID 1712 wrote to memory of 5080	1712	csc.exe	92
PID 824 wrote to memory of 3640	824	hyperProviderbrokermonitorNet.exe	108
PID 824 wrote to memory of 3640	824	hyperProviderbrokermonitorNet.exe	108
PID 3640 wrote to memory of 1232	3640	cmd.exe	110
PID 3640 wrote to memory of 1232	3640	cmd.exe	110
PID 3640 wrote to memory of 3992	3640	cmd.exe	111
PID 3640 wrote to memory of 3992	3640	cmd.exe	111
PID 3640 wrote to memory of 2308	3640	cmd.exe	115
PID 3640 wrote to memory of 2308	3640	cmd.exe	115
PID 2308 wrote to memory of 2236	2308	spoolsv.exe	117
PID 2308 wrote to memory of 2236	2308	spoolsv.exe	117
PID 2236 wrote to memory of 3612	2236	cmd.exe	119
PID 2236 wrote to memory of 3612	2236	cmd.exe	119
PID 2236 wrote to memory of 1728	2236	cmd.exe	120
PID 2236 wrote to memory of 1728	2236	cmd.exe	120
PID 2236 wrote to memory of 5076	2236	cmd.exe	123
PID 2236 wrote to memory of 5076	2236	cmd.exe	123
PID 5076 wrote to memory of 4916	5076	spoolsv.exe	125
PID 5076 wrote to memory of 4916	5076	spoolsv.exe	125
PID 4916 wrote to memory of 4160	4916	cmd.exe	127
PID 4916 wrote to memory of 4160	4916	cmd.exe	127
PID 4916 wrote to memory of 3404	4916	cmd.exe	128
PID 4916 wrote to memory of 3404	4916	cmd.exe	128
PID 4916 wrote to memory of 2044	4916	cmd.exe	130
PID 4916 wrote to memory of 2044	4916	cmd.exe	130
PID 2044 wrote to memory of 2476	2044	spoolsv.exe	131
PID 2044 wrote to memory of 2476	2044	spoolsv.exe	131
PID 2476 wrote to memory of 2808	2476	cmd.exe	133
PID 2476 wrote to memory of 2808	2476	cmd.exe	133
PID 2476 wrote to memory of 4648	2476	cmd.exe	134
PID 2476 wrote to memory of 4648	2476	cmd.exe	134
PID 2476 wrote to memory of 3680	2476	cmd.exe	135
PID 2476 wrote to memory of 3680	2476	cmd.exe	135
PID 3680 wrote to memory of 3036	3680	spoolsv.exe	136
PID 3680 wrote to memory of 3036	3680	spoolsv.exe	136
PID 3036 wrote to memory of 2288	3036	cmd.exe	138
PID 3036 wrote to memory of 2288	3036	cmd.exe	138
PID 3036 wrote to memory of 3196	3036	cmd.exe	139
PID 3036 wrote to memory of 3196	3036	cmd.exe	139
PID 3036 wrote to memory of 4548	3036	cmd.exe	140
PID 3036 wrote to memory of 4548	3036	cmd.exe	140
PID 4548 wrote to memory of 696	4548	spoolsv.exe	141
PID 4548 wrote to memory of 696	4548	spoolsv.exe	141
PID 696 wrote to memory of 4172	696	cmd.exe	143
PID 696 wrote to memory of 4172	696	cmd.exe	143
PID 696 wrote to memory of 3444	696	cmd.exe	144
PID 696 wrote to memory of 3444	696	cmd.exe	144
PID 696 wrote to memory of 4288	696	cmd.exe	145
PID 696 wrote to memory of 4288	696	cmd.exe	145
PID 4288 wrote to memory of 528	4288	spoolsv.exe	146
PID 4288 wrote to memory of 528	4288	spoolsv.exe	146
PID 528 wrote to memory of 452	528	cmd.exe	148
PID 528 wrote to memory of 452	528	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
"C:\Users\Admin\AppData\Local\Temp\e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
      "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vnrjsv0g\vnrjsv0g.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFB1.tmp" "c:\Windows\System32\CSCD572DDCC1DD4160A722A97B9C71F53E.TMP"
        6⤵
        
        PID:5080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cBvYIOGrob.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1232
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3992
      - C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1728
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3404
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4648
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B5GxaJWFI4.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3196
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aTXMUe3k.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3444
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ArRo6YWO69.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2552
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kMcIkiaMXi.bat"
        19⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4504
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WJ1wtP2ROC.bat"
        21⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat"
        23⤵
        
        PID:1192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4780
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ojUBGqHdSI.bat"
        25⤵
        
        PID:748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3880
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        27⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1420
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WKriXx1WO.bat"
        29⤵
        
        PID:1892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3020
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I3W1TCNLwG.bat"
        31⤵
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat"
        33⤵
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:4944
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nUe3m5ImHN.bat"
        35⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 5 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 13 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\0WKriXx1WO.bat

Filesize
209B

MD5
2b83219860b0963d080434e40ee68431

SHA1
9173b6ee2d45d1c5e0ed7d1ffd9a5486a8e65579

SHA256
10bc076216c6796456ef148596e481172c3f8c185e257e7fea34f9043c4236b4

SHA512
0b03c6f5a482ea92213673c3220323eadf7f0df6b698bb797797527adc3f52c3d1c3be7a4e218b6ec71f51e51f783c38a360e621f560cce7c5592074b2a9525a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat

Filesize
209B

MD5
84e403c17a1372aeda6b6d46d87388f0

SHA1
9c2398980762392ec10462d7a0a3530473f0c126

SHA256
56fc34b17e45d55d62d6eb606efc79e119c59e3db860a14e5c1a89a3e90918cd

SHA512
5b6e8c825b6e1aa04d7fc0669a3808e0633e90d2dd19ee01d86dfae39cf5b63e89ac6f2b111875c0749417ea010112ab428d79ecd02ba34b28ba01f919603ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArRo6YWO69.bat

Filesize
209B

MD5
3a303e00c688d8d6baa067779994ed33

SHA1
161681b0c82570477f086a51676c12fe0177a774

SHA256
97ca71059f6a5b56086515469196eeb787a48eb142bc7de372aec83a59360a06

SHA512
d6f58127788399433bdfd9baa7826a6c157997fc1c0f0915bacc4d419742f37aeaa2f41f3f5a4d5b1f1d3adf12b520bf219d4c9425452d2ae5751545e1237a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5GxaJWFI4.bat

Filesize
209B

MD5
6807aa1f6ef2f7857c2c48ebd9b317f5

SHA1
5209bfc1908099acd8f630fa716a9ee9879cf062

SHA256
765c2a9dfadc19db174248d719eee7c805c9e83d75905c034815fda81dbc41c1

SHA512
8c77172fa99c2af4e2116c4d121f1008947ad873f9afc9f7936ede063fcb145978f0f6b2da6c6375f5a734643b0e1732050972dfc3dc52dc7608257a86364af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aTXMUe3k.bat

Filesize
209B

MD5
e4ac218279ad56c9f6f6250677a7534f

SHA1
64b185e16a6e686ba48e729a2314a10926aa7a7e

SHA256
53d130a11418ee3a05a1df3614fa57e43e94fd0f5bf191f9369021ace49199e1

SHA512
1ce4f3b1537c70236f21fdae507419e71dcf1fc3fd2f4ef183411b3f4cad614166b32e7e966039e255caecc62379b57795c0bf5738c581c4c845ecee019798d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3W1TCNLwG.bat

Filesize
161B

MD5
178b8b41679935ece91ea2d4dfe0aed8

SHA1
0f325a5361115bc475b84c6b3efb546f3be86208

SHA256
290b3ccedb8d2096d7bc68501c94b548097512e39bd7ee7f83ce56ea8286ab90

SHA512
15d3e8ae8bee55389d38e9006df152bde458bc1916e5bcf12928add678c016fb25e890316846353ba7141b0f97ce50df8d2e8e9e735bd6524a1fa7d259d5de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDFB1.tmp

Filesize
1KB

MD5
706cfa6bd8a34abfe47b0c3e362976ed

SHA1
17fe819b3c47c11cf1e0ce8edefac86c2420c7c6

SHA256
190d12d5ca8d97d667a01616a9a1e8f06060e5d0436cd2b56d28a24acf018e99

SHA512
1c21b65c76e20af1221589b9cd48a0b3e5c337b0075442fb0353da46da604cb61abb737b8e8d890507fd1c251dde5d97073b2712ad6f7af0b8e45150330a27a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat

Filesize
209B

MD5
677edcca780edebf905a5db51e849861

SHA1
16d9c1d820c38b034012cfc7cc150a4dd28d1092

SHA256
3afbdc0891e720882adf38eeb1624166fb1e7bd29ab73e4303ce553e62cb1c70

SHA512
2c0fd5e809adfa33c6c2011de752772788bedf22f67796227b30d888507eade0f77c43f108bc769a9b4224c0930c10fdac1bf63df78800deaa1914d3a7a1c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJ1wtP2ROC.bat

Filesize
161B

MD5
616ff8d4c45eb831fa745c1f1e307bd3

SHA1
bf1b35c31c6772202a5ce745169c78234cb1a16b

SHA256
4d4207e84b24939c833f59d7b1e94364860b3d96c6fd2364677cb7bc6aa2577b

SHA512
66a38599e6f4f6ec6cc31aaa15f727b86d9e6144749e6d1af8d9f7027624e49e055bfb0cc7b9fd285ef983c7d7d1161868e402dd62ffcec343cab4c2b24129a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cBvYIOGrob.bat

Filesize
209B

MD5
d2e5ce5190374232d96ae3e9fc7fe477

SHA1
103ce93a52fb5642b38546f65bdb9cf8362cde39

SHA256
311c5067fb292e69d8c924c912d413b180ddb69f1e22f0daf58b0b5ff5e18d34

SHA512
cc4578d1582d65073b6ec00a13c7a8a930b0ba72ea8dddab1cff4bfbf239b3d807c9898eafdfc54df609e203c9fd735be979d23f3691c618fbb2ab41c21c459b

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat

Filesize
209B

MD5
42fd46ba3b33e2a212ee9187a1216e7f

SHA1
cd7bdf11220ad0a73e4be89292af20c874c50cb6

SHA256
04ad0c1c25bc371bd7d967780f3e8990b167dbc8862a4748b3e8195ab5c6ad65

SHA512
71a5ef1cb6b33b6780d90fa4f61351c42a3abc0601e1ba5164616068c1f8bfee16f0d8f2b1bae634192a4a8dc73ec9409dd8cbb25f840fed1e77b4d295cf2d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMcIkiaMXi.bat

Filesize
209B

MD5
eb250682e3e9644c0c84c39854cbcd6e

SHA1
39d7f5235589fb5fb6e86280354388a57fa54ca6

SHA256
169cf4248e93ffea33c93f3f2a02b0d4c6f66b04e4a96b8c7a09aa5b99e9c3f7

SHA512
79e59d678d2d0fdc7c6bff2f5554f09fc0078d685ae896fadc6aec04b29c94bc638e1882ef2b9db73ed97288901fd8f6c34b3ed470b583c98d3ee7c114a20ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat

Filesize
161B

MD5
187e28b0087f35fc97c6debf01b73656

SHA1
5181cb94b6e2764acdabec1b3040101169dd96d9

SHA256
b2eb400c64a42c2c768226fa5205c354646917e27b8e042e6ce32a2354492896

SHA512
42e31b136e9b559b0a35c4cd05317a2ba85cb94cf1cd54454d4761f9f4f2c023f55b9f8bd732f95d6b263cb4e082d274ade931570625a7c62727e917400718a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUe3m5ImHN.bat

Filesize
161B

MD5
750d183bad5af3fa065ef4a0c0156bb3

SHA1
c5219aa2f131931729d3e959e5610bb1e9855b94

SHA256
6eb15e8b53c8cd0e065a0dbdb2f3bd3c9edf46d0574fdafeefc2ef60a0890ddd

SHA512
79f01d6b567a148c1ec693f27f616e4dab8a2f043e50e4c9807c8582b67bb130154d5a208990b5836649f69d2a9b57ac04472f82d9a82960a915abc01ba3d0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojUBGqHdSI.bat

Filesize
161B

MD5
22ba8088332c20e2eb8428e342a3e41e

SHA1
87725cd424c082fa7bc60b67ad0eec2538dba8bd

SHA256
7c1b86d0b0496a40cee9812520902156477581763dfa6912e50c52fdf2dda9bb

SHA512
09e13b57672873d12881f5456c7589da9d0121e2e5839bf95c275a55585ef4d4934ef767929f8635735e3c323060a30d7e548857603fb8ed3feaa2f5b29cbcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
209B

MD5
43c1639db3829c2e3c8a5c9b6e113019

SHA1
25057aee75721815ea4e7483ab2dcd8d1d958fd0

SHA256
957c65668c136c8002d1b62b7a310c0d78949a09ae9715dc8fa39c259db25bf1

SHA512
579c220deda1b62ac6523ce36b609faba44b50bb9babeaeea2f2e55116cf430ab7bdef510b48b4cfd74bc17083d655fa9bc711736368914b5271a96e9ec0c5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat

Filesize
209B

MD5
0c0c1b03844595d6140d6e0e5a983495

SHA1
2cb256183ed6cab94ba553f56f393de0e997a159

SHA256
aac9fe9914471f301a99d834d28e2d9d4260820f8f88d746055d10b7eb89e54f

SHA512
093d160b862028d0d3ab768f4ffe88236e378e218db08f32f352ef3006ba57f51a6dcbcfb53c7b1987edfc940ec4956f2592e21a96d319e2f7623d5d16eec475

Download Submit
C:\hyperIntoBroker\7ZVJJhRLWkC.bat

Filesize
78B

MD5
65f873c875c73f084119594a4449ecea

SHA1
9f050c5bfc5cd3d94c37acac16105f031658904f

SHA256
825a9f47fd1242c15bd81fea64d0f739c9e74f62a1820e182cfa069e1726fd90

SHA512
c4c2886fd99303e222a379a02c981532070c932acb70d2a7460fe257e22b8b0625018fab158e7be011bd5b2f7c45517e2c2fc947b11b84bbbda37ecc1bdc8d63

Download Submit
C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Filesize
1.9MB

MD5
54eff01605da5e7cbdb382c98ece2c2a

SHA1
be2ecfc24603a5e282bdfbb7780a03c1410879b8

SHA256
26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

SHA512
dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0

Download Submit
C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe

Filesize
205B

MD5
3abc77a7e4977f35cab6e9f29e677438

SHA1
bd300a11ea5af663fe723883f8b5d980d1cbb417

SHA256
e987a0608105af1e7422322184159c1559b26e3d84c27917408c2cdbbd9f9a72

SHA512
b445fd9b854e822077d17b060edd7e253b8e8aeb8ebfb4e1084e2d604276295d715101f0ce1e1b25f0d83247385f76b1ab8885efd7ba6286cd8317d994359cb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vnrjsv0g\vnrjsv0g.0.cs

Filesize
365B

MD5
b819779440131bfeef1314bfecf28e20

SHA1
e0b6b79d67faf69833a8b0073c3ab5e84c252120

SHA256
aa21ac1b635776f8449a0e456ca05ef2ae5d32ecc3e8a59487534f88cd7152e4

SHA512
bb75865af146a8d0d3db709798720582a30c8a6072fa203d2c5c95ebed3df048b02ab42f1c56ae2bc75d3dff0d0fcc07bdc81f4bb36bc3cbc64811929d11adfc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vnrjsv0g\vnrjsv0g.cmdline

Filesize
235B

MD5
0ade4ff8687020f65b635ebaf2881250

SHA1
8ed4b046f722fc7dfdbd6a5d14d8e6c323f2eddd

SHA256
81b2a9ca3c2d4b590958d616cf702734209b031fc34970dcee297afd61b0a9bc

SHA512
65f002c901122cdddfdeff14c98f2813e06ede770106ed0e556fcd53ede62c3c9107300ecb09b52d2db329a772bccb4deca66ce4d935212a3db42c10c5e604a8

Download Submit
\??\c:\Windows\System32\CSCD572DDCC1DD4160A722A97B9C71F53E.TMP

Filesize
1KB

MD5
2fd2b90e7053b01e6af25701a467eb1f

SHA1
68801a13cebba82c24f67a9d7c886fcefcf01a51

SHA256
12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

SHA512
081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

Download Submit
memory/660-277-0x000000001C3D0000-0x000000001C43B000-memory.dmp

Filesize
428KB

Download
memory/660-278-0x000000001CCA0000-0x000000001CE0A000-memory.dmp

Filesize
1.4MB

Download
memory/824-17-0x0000000002EE0000-0x0000000002EFC000-memory.dmp

Filesize
112KB

Download
memory/824-22-0x00000000015C0000-0x00000000015CC000-memory.dmp

Filesize
48KB

Download
memory/824-20-0x0000000002F00000-0x0000000002F18000-memory.dmp

Filesize
96KB

Download
memory/824-13-0x0000000000B90000-0x0000000000D84000-memory.dmp

Filesize
2.0MB

Download
memory/824-15-0x00000000015B0000-0x00000000015BE000-memory.dmp

Filesize
56KB

Download
memory/824-28-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/824-18-0x000000001BEF0000-0x000000001BF40000-memory.dmp

Filesize
320KB

Download
memory/824-26-0x0000000002ED0000-0x0000000002EDE000-memory.dmp

Filesize
56KB

Download
memory/824-57-0x000000001BA30000-0x000000001BA9B000-memory.dmp

Filesize
428KB

Download
memory/824-24-0x0000000002EC0000-0x0000000002ECC000-memory.dmp

Filesize
48KB

Download
memory/824-12-0x00007FFD0AB03000-0x00007FFD0AB05000-memory.dmp

Filesize
8KB

Download
memory/1012-247-0x000000001C200000-0x000000001C26B000-memory.dmp

Filesize
428KB

Download
memory/1012-248-0x000000001CBB0000-0x000000001CD1A000-memory.dmp

Filesize
1.4MB

Download
memory/1832-218-0x000000001C7A0000-0x000000001C90A000-memory.dmp

Filesize
1.4MB

Download
memory/1832-217-0x000000001B770000-0x000000001B7DB000-memory.dmp

Filesize
428KB

Download
memory/2044-103-0x000000001C5D0000-0x000000001C63B000-memory.dmp

Filesize
428KB

Download
memory/2308-74-0x000000001C030000-0x000000001C09B000-memory.dmp

Filesize
428KB

Download
memory/2708-187-0x000000001B6D0000-0x000000001B73B000-memory.dmp

Filesize
428KB

Download
memory/2708-188-0x000000001BF80000-0x000000001C0EA000-memory.dmp

Filesize
1.4MB

Download
memory/2976-233-0x000000001C2E0000-0x000000001C44A000-memory.dmp

Filesize
1.4MB

Download
memory/2976-232-0x000000001B2C0000-0x000000001B32B000-memory.dmp

Filesize
428KB

Download
memory/3328-173-0x000000001BC70000-0x000000001BCDB000-memory.dmp

Filesize
428KB

Download
memory/3560-159-0x000000001C190000-0x000000001C1FB000-memory.dmp

Filesize
428KB

Download
memory/3680-117-0x000000001BB90000-0x000000001BBFB000-memory.dmp

Filesize
428KB

Download
memory/4128-202-0x000000001B680000-0x000000001B6EB000-memory.dmp

Filesize
428KB

Download
memory/4128-203-0x000000001C640000-0x000000001C7AA000-memory.dmp

Filesize
1.4MB

Download
memory/4288-145-0x000000001C480000-0x000000001C4EB000-memory.dmp

Filesize
428KB

Download
memory/4536-263-0x000000001CA30000-0x000000001CB9A000-memory.dmp

Filesize
1.4MB

Download
memory/4536-262-0x000000001C160000-0x000000001C1CB000-memory.dmp

Filesize
428KB

Download
memory/4548-131-0x000000001C320000-0x000000001C38B000-memory.dmp

Filesize
428KB

Download
memory/5076-89-0x000000001AEE0000-0x000000001AF4B000-memory.dmp

Filesize
428KB

Download