dcrat | 0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
Size

1.7MB
MD5

73f8fb574f3eb89a16b9170aad01fec0
SHA1

15bf5763fc20fd9f777092176e16337941694ea3
SHA256

0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735
SHA512

115d89d8231c66101290fe4d73b8c51d56c21727c7cb855815254bbcd7c0e1f8bd97e23f329ccb665ddc8fe7dc18aad5149bfac4d9fe2ce25ded706ff842e2d9
SSDEEP

24576:j3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:jgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1660	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1660	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4280-1-0x0000000000110000-0x00000000002C6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c9b-29.dat	dcrat
behavioral2/files/0x000200000001e762-127.dat	dcrat
behavioral2/files/0x000c000000023ca7-223.dat	dcrat
behavioral2/files/0x0009000000023cb3-234.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4012	powershell.exe
1408	powershell.exe
3440	powershell.exe
4164	powershell.exe
3504	powershell.exe
1624	powershell.exe
1968	powershell.exe
3088	powershell.exe
5116	powershell.exe
1672	powershell.exe
2692	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	Idle.exe
4780	Idle.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\System.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\dwm.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Common Files\services.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\sihost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Windows Defender\es-ES\TextInputHost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Common Files\services.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Common Files\c5b4cb5e9653cc	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX986E.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA635.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Common Files\RCXA84B.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\6cb0b6c459d5d3	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\MSBuild\Microsoft\66fc9ff0ee96c2	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXA19E.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Common Files\RCXA84A.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\System.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Windows Defender\es-ES\22eafd247d37c3	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\27d1bcfc3c54e0	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX985E.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA636.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\MSBuild\Microsoft\sihost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Java\spoolsv.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXA19D.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXAEF7.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Java\f3b6ecef712a24	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Java\RCX9D05.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\dwm.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXAEF8.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXBA2C.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\Java\spoolsv.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Java\RCX9D06.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXBA2B.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\TextInputHost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\f3b6ecef712a24	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\L2Schemas\RCX9F1B.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\L2Schemas\RCX9F99.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\twain_32\RCXA420.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\twain_32\TextInputHost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\twain_32\22eafd247d37c3	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Branding\5b884080fd4f94	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\twain_32\RCXA421.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\twain_32\TextInputHost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXACE2.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Branding\RCXB826.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Branding\fontdrvhost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\L2Schemas\spoolsv.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Branding\fontdrvhost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\L2Schemas\spoolsv.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXACF3.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Branding\RCXB7B8.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1104	schtasks.exe
1900	schtasks.exe
2096	schtasks.exe
3220	schtasks.exe
4524	schtasks.exe
1316	schtasks.exe
4408	schtasks.exe
3492	schtasks.exe
856	schtasks.exe
1488	schtasks.exe
2660	schtasks.exe
3388	schtasks.exe
3540	schtasks.exe
2276	schtasks.exe
716	schtasks.exe
1312	schtasks.exe
4388	schtasks.exe
5048	schtasks.exe
3088	schtasks.exe
4412	schtasks.exe
3696	schtasks.exe
4824	schtasks.exe
452	schtasks.exe
456	schtasks.exe
3460	schtasks.exe
4996	schtasks.exe
4012	schtasks.exe
4800	schtasks.exe
2444	schtasks.exe
3280	schtasks.exe
4820	schtasks.exe
4916	schtasks.exe
3860	schtasks.exe
1824	schtasks.exe
5028	schtasks.exe
2732	schtasks.exe
4036	schtasks.exe
1400	schtasks.exe
4976	schtasks.exe
1116	schtasks.exe
628	schtasks.exe
2076	schtasks.exe
5024	schtasks.exe
4476	schtasks.exe
1712	schtasks.exe
2328	schtasks.exe
588	schtasks.exe
2128	schtasks.exe
4780	schtasks.exe
3520	schtasks.exe
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
3440	powershell.exe
3440	powershell.exe
4164	powershell.exe
4164	powershell.exe
5116	powershell.exe
2692	powershell.exe
5116	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4828	Idle.exe
Token: SeDebugPrivilege	4780	Idle.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4012	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	143
PID 4280 wrote to memory of 4012	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	143
PID 4280 wrote to memory of 1624	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	144
PID 4280 wrote to memory of 1624	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	144
PID 4280 wrote to memory of 2692	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	145
PID 4280 wrote to memory of 2692	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	145
PID 4280 wrote to memory of 1672	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	146
PID 4280 wrote to memory of 1672	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	146
PID 4280 wrote to memory of 1968	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	147
PID 4280 wrote to memory of 1968	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	147
PID 4280 wrote to memory of 1408	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	149
PID 4280 wrote to memory of 1408	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	149
PID 4280 wrote to memory of 3504	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	150
PID 4280 wrote to memory of 3504	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	150
PID 4280 wrote to memory of 5116	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	152
PID 4280 wrote to memory of 5116	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	152
PID 4280 wrote to memory of 4164	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	153
PID 4280 wrote to memory of 4164	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	153
PID 4280 wrote to memory of 3440	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	154
PID 4280 wrote to memory of 3440	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	154
PID 4280 wrote to memory of 3088	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	155
PID 4280 wrote to memory of 3088	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	155
PID 4280 wrote to memory of 3036	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	165
PID 4280 wrote to memory of 3036	4280	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	165
PID 3036 wrote to memory of 2196	3036	cmd.exe	167
PID 3036 wrote to memory of 2196	3036	cmd.exe	167
PID 3036 wrote to memory of 4828	3036	cmd.exe	172
PID 3036 wrote to memory of 4828	3036	cmd.exe	172
PID 4828 wrote to memory of 1964	4828	Idle.exe	173
PID 4828 wrote to memory of 1964	4828	Idle.exe	173
PID 4828 wrote to memory of 1672	4828	Idle.exe	174
PID 4828 wrote to memory of 1672	4828	Idle.exe	174
PID 1964 wrote to memory of 4780	1964	WScript.exe	175
PID 1964 wrote to memory of 4780	1964	WScript.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
"C:\Users\Admin\AppData\Local\Temp\0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8e4zbUuNh8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2196
- - C:\Users\Public\Idle.exe
    "C:\Users\Public\Idle.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a68b8f-b861-4beb-b5d1-95b8bd8a8599.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Users\Public\Idle.exe
        
        C:\Users\Public\Idle.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\144a7bdd-6cee-44e5-9452-0ee11b07a671.vbs"
      4⤵
      PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\twain_32\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Branding\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\spoolsv.exe

Filesize
1.7MB

MD5
73f8fb574f3eb89a16b9170aad01fec0

SHA1
15bf5763fc20fd9f777092176e16337941694ea3

SHA256
0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735

SHA512
115d89d8231c66101290fe4d73b8c51d56c21727c7cb855815254bbcd7c0e1f8bd97e23f329ccb665ddc8fe7dc18aad5149bfac4d9fe2ce25ded706ff842e2d9

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
1.7MB

MD5
e0fe838ff387a7de01040b5ae0b77397

SHA1
7faca0e06b5cfaf80da99d7a255f08a2969da080

SHA256
8aeca6037ebd1cacbbf7b81816c346fc737851ecaa40a11f6837ff070aaa14ba

SHA512
17f7304b3f4b8a1e48a38377a5c588eab01b66525eac8c4c52c474090ec4d4b9467eabfa46c77bf75ee41f384aeeb39758bb0fdcf8d26f16ef582e2373d21add

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.7MB

MD5
7f64121aae1f7a232d54779b4358c87c

SHA1
672d90c24ba428bec2747d4f46034c4a0aeee303

SHA256
506b9436cc3848cb3b17ae38c2c1cddc7f4dfdfdff91500e64687ac7b180cbc9

SHA512
5cf592b241eb009f909d77abc009784a63b53ac9a3a4c5dd7bb3f87df039a68e9bdffd256dee6999ff87ee9490b0a3cdfccdb6ec72f4f23964fc2d645edbc9f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\144a7bdd-6cee-44e5-9452-0ee11b07a671.vbs

Filesize
476B

MD5
8bbf4153934eb8d1ad3c02b210defa4d

SHA1
340c863701f6d38dc7fde219c2e1c8bdc3447d38

SHA256
43c3fd4f64885ddaff0423017aa600903dd339c6f09dc11fb640d01871ddd122

SHA512
b41f0194db9a22acdd7dc5f312cd93f75135efcf3acae95317ce956f18f7073dedca0e8bb6e25d4fe8c80e04b1999fb4ae86ea728bb41eab2187dc1d7159ffb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\82a68b8f-b861-4beb-b5d1-95b8bd8a8599.vbs

Filesize
700B

MD5
dbfea23ab951b11af3bf029e796ef8b9

SHA1
64f94280ebfbece2e64e630d2508f91b9caac9e7

SHA256
dd349e374a1c390a9413ea53aaf29ba32522f3f923334211b203a621992c03e7

SHA512
4f1e3c395703e33f97fd5b852c91577f77907b7b81fa5b538fead4a64e1602b53b0ba42ddefe5521c7b3cfb9c28ea7e1952454982caa3ceb10fe6af1e3ddb762

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e4zbUuNh8.bat

Filesize
189B

MD5
5666a9ebf2ee52ace806fff640ca7477

SHA1
9a052703836af90a9e5e74bf361bafb44f671c45

SHA256
311afb144b81fa441e6a99c490f3108839b7748285561df85c916154822cd5f1

SHA512
6dc6bfca1e4d83b6238bc6c763996ce8a9956201b57b3121edb104156e698498046c0d5eaeb9dd2ddb3cbe9981ac30ab3f4aaa4a21f88b28845ab506e0a75989

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vk0piajn.i1d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\L2Schemas\spoolsv.exe

Filesize
1.7MB

MD5
50077b2bb3b15c1fde94037c24bd8eb6

SHA1
b645a06d438aebd6439ecb1b40b3725eb6687e57

SHA256
d4dd9321d609fe8cf9549a6054bc2f5ab79d6ed0e5032061c86fd0423cbf783e

SHA512
3b9d164c80ab11599cd4b6da558071368c2fef9631019f40f38af24c756ff72469c69627f92d4eebd30b8218c6374af4a383e6a326c885686f7f66b059485049

Download Submit
memory/2692-275-0x00000195FE450000-0x00000195FE472000-memory.dmp

Filesize
136KB

Download
memory/4280-10-0x000000001AE40000-0x000000001AE4C000-memory.dmp

Filesize
48KB

Download
memory/4280-11-0x000000001AEA0000-0x000000001AEA8000-memory.dmp

Filesize
32KB

Download
memory/4280-17-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/4280-18-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/4280-19-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4280-22-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4280-15-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

Filesize
40KB

Download
memory/4280-16-0x000000001B800000-0x000000001B808000-memory.dmp

Filesize
32KB

Download
memory/4280-165-0x00007FFE6DBB3000-0x00007FFE6DBB5000-memory.dmp

Filesize
8KB

Download
memory/4280-177-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4280-202-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4280-220-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4280-13-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

Filesize
48KB

Download
memory/4280-14-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/4280-0-0x00007FFE6DBB3000-0x00007FFE6DBB5000-memory.dmp

Filesize
8KB

Download
memory/4280-9-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/4280-299-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4280-7-0x000000001AE10000-0x000000001AE26000-memory.dmp

Filesize
88KB

Download
memory/4280-8-0x000000001AE30000-0x000000001AE42000-memory.dmp

Filesize
72KB

Download
memory/4280-4-0x000000001AE50000-0x000000001AEA0000-memory.dmp

Filesize
320KB

Download
memory/4280-5-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/4280-6-0x000000001AE00000-0x000000001AE10000-memory.dmp

Filesize
64KB

Download
memory/4280-1-0x0000000000110000-0x00000000002C6000-memory.dmp

Filesize
1.7MB

Download
memory/4280-3-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

Filesize
112KB

Download
memory/4280-2-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/4828-391-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download