dcrat | aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
Size

1.7MB
MD5

707f4ad9209b26de91ddd3e1c7e652db
SHA1

53c2b889fff7f9b276262d4ef10d62bd5d738d52
SHA256

aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c
SHA512

e520f2354269d33d3cd37374a5e3304c5e62926d09590e1687ee408ce124ee6a1641a3ba4eb51875095a327c31e099b8e7cd8a24335f08c667b9a3db5ebebdfb
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4748	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4748	schtasks.exe	82

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4852-1-0x0000000000770000-0x0000000000930000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb9-30.dat	dcrat
behavioral2/files/0x0008000000023cc4-51.dat	dcrat
behavioral2/files/0x000d000000023bdf-73.dat	dcrat
behavioral2/files/0x000a000000023ca8-84.dat	dcrat
behavioral2/files/0x0008000000023cb5-106.dat	dcrat
behavioral2/memory/4800-267-0x0000000000C80000-0x0000000000E40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
5112	powershell.exe
1540	powershell.exe
3692	powershell.exe
2052	powershell.exe
904	powershell.exe
1892	powershell.exe
4460	powershell.exe
2924	powershell.exe
4128	powershell.exe
4884	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 10 IoCs

pid	Process
4800	unsecapp.exe
968	unsecapp.exe
3308	unsecapp.exe
5112	unsecapp.exe
1064	unsecapp.exe
5056	unsecapp.exe
1540	unsecapp.exe
1172	unsecapp.exe
2928	unsecapp.exe
1644	unsecapp.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXBD5D.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\unsecapp.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Program Files\Java\jre-1.8\unsecapp.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Program Files\Java\jre-1.8\29c1c3cc0f7685	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXBDDB.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\RCXC4F4.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\RCXC562.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\29c1c3cc0f7685	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\sppsvc.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Windows\CbsTemp\smss.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Windows\CbsTemp\69ddcba757bf72	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Windows\Registration\RCXC767.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Windows\CbsTemp\RCXBB29.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Windows\CbsTemp\smss.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Windows\Registration\RCXC768.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Windows\Registration\sppsvc.exe	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File created	C:\Windows\Registration\0a1fd5f707cd16	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
File opened for modification	C:\Windows\CbsTemp\RCXBABB.tmp	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1828	schtasks.exe
1804	schtasks.exe
3108	schtasks.exe
32	schtasks.exe
4888	schtasks.exe
4008	schtasks.exe
4212	schtasks.exe
3908	schtasks.exe
4996	schtasks.exe
2064	schtasks.exe
4540	schtasks.exe
4036	schtasks.exe
2616	schtasks.exe
4564	schtasks.exe
3936	schtasks.exe
3500	schtasks.exe
2936	schtasks.exe
2544	schtasks.exe
4136	schtasks.exe
1972	schtasks.exe
1080	schtasks.exe
4308	schtasks.exe
3360	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2944	powershell.exe
2944	powershell.exe
904	powershell.exe
904	powershell.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
4460	powershell.exe
4460	powershell.exe
1892	powershell.exe
1892	powershell.exe
4128	powershell.exe
4128	powershell.exe
3692	powershell.exe
3692	powershell.exe
2052	powershell.exe
2052	powershell.exe
5112	powershell.exe
5112	powershell.exe
4884	powershell.exe
4884	powershell.exe
3692	powershell.exe
2924	powershell.exe
2924	powershell.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
904	powershell.exe
2944	powershell.exe
1892	powershell.exe
4460	powershell.exe
2052	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	4800	unsecapp.exe
Token: SeDebugPrivilege	968	unsecapp.exe
Token: SeDebugPrivilege	3308	unsecapp.exe
Token: SeDebugPrivilege	5112	unsecapp.exe
Token: SeDebugPrivilege	1064	unsecapp.exe
Token: SeDebugPrivilege	5056	unsecapp.exe
Token: SeDebugPrivilege	1540	unsecapp.exe
Token: SeDebugPrivilege	1172	unsecapp.exe
Token: SeDebugPrivilege	2928	unsecapp.exe
Token: SeDebugPrivilege	1644	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2924	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	107
PID 4852 wrote to memory of 2924	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	107
PID 4852 wrote to memory of 4884	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	108
PID 4852 wrote to memory of 4884	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	108
PID 4852 wrote to memory of 4128	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	109
PID 4852 wrote to memory of 4128	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	109
PID 4852 wrote to memory of 2944	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	110
PID 4852 wrote to memory of 2944	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	110
PID 4852 wrote to memory of 3692	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	111
PID 4852 wrote to memory of 3692	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	111
PID 4852 wrote to memory of 2052	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	112
PID 4852 wrote to memory of 2052	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	112
PID 4852 wrote to memory of 904	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	113
PID 4852 wrote to memory of 904	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	113
PID 4852 wrote to memory of 5112	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	114
PID 4852 wrote to memory of 5112	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	114
PID 4852 wrote to memory of 1540	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	115
PID 4852 wrote to memory of 1540	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	115
PID 4852 wrote to memory of 1892	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	116
PID 4852 wrote to memory of 1892	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	116
PID 4852 wrote to memory of 4460	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	117
PID 4852 wrote to memory of 4460	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	117
PID 4852 wrote to memory of 4680	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	129
PID 4852 wrote to memory of 4680	4852	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	129
PID 4680 wrote to memory of 2656	4680	cmd.exe	131
PID 4680 wrote to memory of 2656	4680	cmd.exe	131
PID 4680 wrote to memory of 4800	4680	cmd.exe	135
PID 4680 wrote to memory of 4800	4680	cmd.exe	135
PID 4800 wrote to memory of 4056	4800	unsecapp.exe	136
PID 4800 wrote to memory of 4056	4800	unsecapp.exe	136
PID 4800 wrote to memory of 3188	4800	unsecapp.exe	137
PID 4800 wrote to memory of 3188	4800	unsecapp.exe	137
PID 4056 wrote to memory of 968	4056	WScript.exe	141
PID 4056 wrote to memory of 968	4056	WScript.exe	141
PID 968 wrote to memory of 1172	968	unsecapp.exe	142
PID 968 wrote to memory of 1172	968	unsecapp.exe	142
PID 968 wrote to memory of 1512	968	unsecapp.exe	143
PID 968 wrote to memory of 1512	968	unsecapp.exe	143
PID 1172 wrote to memory of 3308	1172	WScript.exe	146
PID 1172 wrote to memory of 3308	1172	WScript.exe	146
PID 3308 wrote to memory of 3656	3308	unsecapp.exe	147
PID 3308 wrote to memory of 3656	3308	unsecapp.exe	147
PID 3308 wrote to memory of 1080	3308	unsecapp.exe	148
PID 3308 wrote to memory of 1080	3308	unsecapp.exe	148
PID 3656 wrote to memory of 5112	3656	WScript.exe	149
PID 3656 wrote to memory of 5112	3656	WScript.exe	149
PID 5112 wrote to memory of 1176	5112	unsecapp.exe	150
PID 5112 wrote to memory of 1176	5112	unsecapp.exe	150
PID 5112 wrote to memory of 3348	5112	unsecapp.exe	151
PID 5112 wrote to memory of 3348	5112	unsecapp.exe	151
PID 1176 wrote to memory of 1064	1176	WScript.exe	152
PID 1176 wrote to memory of 1064	1176	WScript.exe	152
PID 1064 wrote to memory of 1976	1064	unsecapp.exe	153
PID 1064 wrote to memory of 1976	1064	unsecapp.exe	153
PID 1064 wrote to memory of 4472	1064	unsecapp.exe	154
PID 1064 wrote to memory of 4472	1064	unsecapp.exe	154
PID 1976 wrote to memory of 5056	1976	WScript.exe	155
PID 1976 wrote to memory of 5056	1976	WScript.exe	155
PID 5056 wrote to memory of 5020	5056	unsecapp.exe	156
PID 5056 wrote to memory of 5020	5056	unsecapp.exe	156
PID 5056 wrote to memory of 3304	5056	unsecapp.exe	157
PID 5056 wrote to memory of 3304	5056	unsecapp.exe	157
PID 5020 wrote to memory of 1540	5020	WScript.exe	158
PID 5020 wrote to memory of 1540	5020	WScript.exe	158

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
"C:\Users\Admin\AppData\Local\Temp\aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zXE8VSno5s.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2656
- - C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
    "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd2d285d-8361-47d8-84b9-06f2c1cbd2c7.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89818dcf-5068-43e4-a92a-c99b677b504b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c715b9c4-a4ca-4eaf-8f3a-b07ff946691b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35fd99b8-e2ce-4b9b-85b6-ed5d14c7a5a5.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\277e05f2-800e-4874-95fb-aac3fb16bb25.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f35df2-90b6-4d22-b0d1-0328dc7adcd4.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faef5a0d-0e4d-4f35-989b-c018e4bb5906.vbs"
        16⤵
        
        PID:60
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e7d075-d315-4339-93a9-56b30102f74e.vbs"
        18⤵
        
        PID:4540
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56552e0e-de02-48d9-a818-9bca9b74c053.vbs"
        20⤵
        
        PID:3056
        
        C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe
        
        "C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adec633d-5ee9-456e-9ca4-4c83890302c9.vbs"
        22⤵
        
        PID:1240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a008627a-5239-48f6-b39c-e2529d6e3e6b.vbs"
        22⤵
        
        PID:4308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eae7311-f1b5-4900-9c66-91fc124ee4a1.vbs"
        20⤵
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\862a4b02-ad17-4e54-8dd4-d46f6fdbb01c.vbs"
        18⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\298c75cf-1e21-45c8-bfe8-2ff5f4ead2bb.vbs"
        16⤵
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db5a80f1-fe8c-45d7-a629-c4eea44aceb4.vbs"
        14⤵
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2098b6ae-16b7-4e46-9409-a0742a418001.vbs"
        12⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bab99898-0fa8-4402-a7f4-b266b74d7d0d.vbs"
        10⤵
        
        PID:3348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4199b7e0-25b4-4cac-812f-01c001ea1e1f.vbs"
        8⤵
        
        PID:1080
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc346910-d324-476e-babf-7b63fe09f6fd.vbs"
        6⤵
        
        PID:1512
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd4d9223-a11a-48e8-968e-74f8db8eb6e2.vbs"
      4⤵
      PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\CbsTemp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Registration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\Accessories\fr-FR\unsecapp.exe

Filesize
1.7MB

MD5
8c94dd51cacf075ce855f767527fe37b

SHA1
c2e92f00950cf362a24e442a2d07e3672eafb089

SHA256
dc1af0ebbb98940aa3bbbe6a528ac0ecf1b072a170ed1cb9d2ef17cfe487355a

SHA512
630432af22f82fe373b568f7f6bb8de7e17b12b5a538a6bd2d2d534c9a8b3472b935b2aac33af49a0b05b789dac6155eaafca47b6f551233af43c98adcefcd7b

Download Submit
C:\ProgramData\RuntimeBroker.exe

Filesize
1.7MB

MD5
d91562e1cbe2c924c2598dd64fb6985e

SHA1
198c8a9589068b1d6db6d58c968e85d892483b93

SHA256
45197093bbb7536033f586d9fb235753f649a833bab38ea50a9bf90930b6628c

SHA512
e3b23caba5372e31143e6c197ddb532fab9075a3450f7842a6c0ac2bc732d3f397e93f78ea0768d21e0aed1aa4af030c8b01a1a26dd52bec84bbb6ec4c3b0ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\277e05f2-800e-4874-95fb-aac3fb16bb25.vbs

Filesize
734B

MD5
57fbd4523dc7fba7109ead59b863e99c

SHA1
3b3c58e0441dd2060f670df74fb7a8fae33e8d66

SHA256
83100cc103175d4918d525b31b17afc60242f8536aa93e9ec319ae53fc755254

SHA512
5a3150be1eae1a7c2684e61c77d2f2da27f14dfb89c29f24e077967d86b9f265a984c9e2539700cf88cefafc375f5a6e142267aa1ee93be38d0425f1fa3afa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\35fd99b8-e2ce-4b9b-85b6-ed5d14c7a5a5.vbs

Filesize
734B

MD5
14d462326b97d09936c615b9b2d1e4e2

SHA1
84bb02a2bbc54a747b89b441082b0768f5530d2b

SHA256
8e13325d0a526b9d2c6e883e3f63d33ace49051dbaf6b744e0c251e3be0298de

SHA512
58e1b78cb1e7a7923a142faf952600bbc89dd5023d386a52833aa88b79837cd93d488e2dce675dfa4ada232b80200d5490ee60e3b4a472ab7b86b8dbc610b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\44e7d075-d315-4339-93a9-56b30102f74e.vbs

Filesize
734B

MD5
e5274d8b8be1ac1605728fcbfc8629d8

SHA1
ca30730287b85919e67d2a96f5293ebfdaae4f9d

SHA256
2cefec8e69a909efe49d1a8f797c2ceaf0a696bfcdbf3b4f2cae57b1b472136d

SHA512
8933887cab3b1259ef9497a13fe3d0ca25fa05f030c5ab0780300484ac1d63506f22fe4484d7f8518659a82548241a36fdaea1d9748716bf8bd4b05441f9ef84

Download Submit
C:\Users\Admin\AppData\Local\Temp\56552e0e-de02-48d9-a818-9bca9b74c053.vbs

Filesize
734B

MD5
f4192f1ba546b1b1cd4b47727fa745ab

SHA1
4fdc7c81485959c4480a7f731d640ea71489b3cd

SHA256
ade4fbb13aa3fd47697b1eac0467aa475e81cecf2bc2ad4b2ac7d5afbff4af98

SHA512
627cb07531c8e6097de760206ffec2e302e178b90079ff0bd1cc9ea1c2a824c1aab8bcf11492ada6d2d86555d48250b62461738d90b66b24c806a2f5f15a6566

Download Submit
C:\Users\Admin\AppData\Local\Temp\89818dcf-5068-43e4-a92a-c99b677b504b.vbs

Filesize
733B

MD5
c2e0436398ec5df586a9579eca014be1

SHA1
65c86fefff20337024e0f0c99397bec473c37f52

SHA256
6db3bdfc113105109f62e1895061c17a1e50b77b024cc3217cbab3d453741e2a

SHA512
3dab3c17a8691cbe928b7dec64cb757aa8349605f2a9175704e13b94f8941ff054ddb93695ca9b0cfc3b24caa99b4dcca6bfcd8379397a92d0ec3cb024573f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nm3dlcw.ozx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adec633d-5ee9-456e-9ca4-4c83890302c9.vbs

Filesize
734B

MD5
6cce0b0e94055056c3607e8230e0e32d

SHA1
85e92f6c704bfe8ed11804c23829aa72d2b15a20

SHA256
d35fb6000f19123cff3048882f9b7d028537547102fc8bddd5522a78c4e44395

SHA512
009099b4544db67f543554294b1089aba0f3b7f2216a2ed274111babb0c04b5ae1e6f29642f94f718b64e29fbcbc86d74bb0d699199190514c496b564f752ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c715b9c4-a4ca-4eaf-8f3a-b07ff946691b.vbs

Filesize
734B

MD5
67cbead9653111140bd0db41fc53ca2f

SHA1
52b13ace15bf17147a26c6a60ddb9fdd888d12b8

SHA256
bece0613aaf299b1a15d41a9ab9cff60b775bfe7bdf0433c3961cc5f9522a5cb

SHA512
afb6920cff1cbdbbfe62dca7013a7ccf0ab4f3b1eb75fbf6cf54a95f4b561bc020e4751767024ffba89100d0ecbeaac189c2012a6b085c3a75f8bc000ceb92d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd2d285d-8361-47d8-84b9-06f2c1cbd2c7.vbs

Filesize
734B

MD5
9fb2bf633cba4d10d2b08fae8d76db0e

SHA1
91706d3a5d49b21e86f79075b314e4cddab6b9e9

SHA256
bf6c3da9c2db7f5e09ef7d21fa1ca3c9be0c3e671b04f2361a3355916168f272

SHA512
e1f3d03162870b00f88a6a809879c78732f3af887724fbcbff0b236a1c2d00841ab0598f043dac1705e38203046009b8c9423b46a88012f4a5a8dba128438105

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd4d9223-a11a-48e8-968e-74f8db8eb6e2.vbs

Filesize
510B

MD5
9fb29d90f9bfaed31bc405c752765ce7

SHA1
d7f85b8aaa1d3714883bac7a25fac1d391e7f019

SHA256
a1cfc95c6ff01d5acd04069a00e82277cd6e7fcfe9049f58d7c1bbab2b461580

SHA512
200f22bad9e16f690e10d4b53146410aaf4ed2fa222feab69f5f5e57d4734401c8cf2d72e8ee2dfe10a95a68c5d83f7c3ddd05ebdbf1b8ab396dfa54b5d98c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4f35df2-90b6-4d22-b0d1-0328dc7adcd4.vbs

Filesize
734B

MD5
ce6b7d0d3435e184d1fd73dc9567f4af

SHA1
b557eae80f90def0172c72c63613398ed595c341

SHA256
2a2c3a6a391f300d813b23195de7bd5941b034451f4a5d402cfe7b8c9ac2f8fc

SHA512
4708420e7654bfc9b2c2553272bcb76b56e50562f0e3a6fbc0524a4a77a5b9ead2b6c4830cea3bb50e522dba28c49cbaf6e48932468e43c467e155738ada9da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\faef5a0d-0e4d-4f35-989b-c018e4bb5906.vbs

Filesize
734B

MD5
825fd75c2be1d388a2be36058e024d04

SHA1
576b40f031dfda96a7eae8a8a5222a594bf98050

SHA256
db8b7aff3af5772ffdd226e88a27ca293749100064fd7865aca389d978656cef

SHA512
007f44d9b0b51cc50427e0020971ebbb2e44474c7e2430986a296ad8f26a1ef88d8be1d39cf3be582d2da2222d5029ef5a95f5a5daf0f439bf9e98462263469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXE8VSno5s.bat

Filesize
223B

MD5
19a20ebed588e5ae2fcc6670b6ea4f23

SHA1
4a7950bf1bb2c92dc112d8bd00d9ba07a17864df

SHA256
cb69b3e94871c2232aabe79c7a6119f751dc9fa9ec73aff3ef2d38c3b187fe06

SHA512
e174d2dfca13e82844cd3bf95df4ad730f362f8c2b9e74a4e0eb9c25813c86c24c827d8652304c4097bded94bf7425904fa6bbb59d653c9458a180fbd9664011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe

Filesize
1.7MB

MD5
707f4ad9209b26de91ddd3e1c7e652db

SHA1
53c2b889fff7f9b276262d4ef10d62bd5d738d52

SHA256
aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c

SHA512
e520f2354269d33d3cd37374a5e3304c5e62926d09590e1687ee408ce124ee6a1641a3ba4eb51875095a327c31e099b8e7cd8a24335f08c667b9a3db5ebebdfb

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\wininit.exe

Filesize
1.7MB

MD5
4f518002c4de11cb057b32ac5a5ca156

SHA1
60cf2394865b8af88c75f697f56f3a25213d30de

SHA256
d158600a3b4a86d16e8fd91ccead1333c6bd283271b2637582617b3f8334bce1

SHA512
d07e7f377aa2d1e6f84f62dd444a7c2937496c4517c8a19778491aa44104638d9a54b74810b426cd94067087cea012175bb449b9ac91f542b141315a3cf86bc3

Download Submit
C:\Windows\CbsTemp\smss.exe

Filesize
1.7MB

MD5
f86cdc8d5bc9c4d721167c9806858444

SHA1
a64e88bd769cdf79f80a511c926b436b837df207

SHA256
94b528ae302a9f59cea840c713a635afb229d30312d238578a9f1fb018eae525

SHA512
5339852a2388f39b27c53625922d9d34555a4242e92a65b5983bb5ee3d219e8d6d3565c3ab0782b0f54d61b5195aeed9da408946a2c2e2d7d265241ec971781a

Download Submit
memory/1172-346-0x000000001B360000-0x000000001B372000-memory.dmp

Filesize
72KB

Download
memory/2928-358-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/2944-145-0x0000019DC58E0000-0x0000019DC5902000-memory.dmp

Filesize
136KB

Download
memory/4800-267-0x0000000000C80000-0x0000000000E40000-memory.dmp

Filesize
1.8MB

Download
memory/4852-14-0x000000001B520000-0x000000001B52C000-memory.dmp

Filesize
48KB

Download
memory/4852-139-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4852-137-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/4852-23-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4852-19-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

Filesize
48KB

Download
memory/4852-20-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4852-15-0x000000001BD60000-0x000000001BD6A000-memory.dmp

Filesize
40KB

Download
memory/4852-16-0x000000001BD70000-0x000000001BD7E000-memory.dmp

Filesize
56KB

Download
memory/4852-17-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/4852-18-0x000000001BE90000-0x000000001BE9C000-memory.dmp

Filesize
48KB

Download
memory/4852-0-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/4852-13-0x000000001C190000-0x000000001C6B8000-memory.dmp

Filesize
5.2MB

Download
memory/4852-12-0x000000001B510000-0x000000001B522000-memory.dmp

Filesize
72KB

Download
memory/4852-10-0x000000001B500000-0x000000001B508000-memory.dmp

Filesize
32KB

Download
memory/4852-9-0x000000001B4A0000-0x000000001B4AC000-memory.dmp

Filesize
48KB

Download
memory/4852-7-0x000000001B470000-0x000000001B486000-memory.dmp

Filesize
88KB

Download
memory/4852-8-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/4852-5-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/4852-6-0x000000001B460000-0x000000001B470000-memory.dmp

Filesize
64KB

Download
memory/4852-4-0x000000001B4B0000-0x000000001B500000-memory.dmp

Filesize
320KB

Download
memory/4852-3-0x000000001B440000-0x000000001B45C000-memory.dmp

Filesize
112KB

Download
memory/4852-2-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4852-1-0x0000000000770000-0x0000000000930000-memory.dmp

Filesize
1.8MB

Download