dcrat | abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Size

1.7MB
MD5

92f20cf5b97297600b5272178b6534c7
SHA1

3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625
SHA256

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b
SHA512

81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3640	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3640	schtasks.exe	83

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1032-1-0x0000000000280000-0x0000000000440000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b99-30.dat	dcrat
behavioral2/files/0x000d000000023ba3-59.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1208	powershell.exe
1608	powershell.exe
908	powershell.exe
1784	powershell.exe
2764	powershell.exe
1148	powershell.exe
3404	powershell.exe
3832	powershell.exe
756	powershell.exe
2824	powershell.exe
4552	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 10 IoCs

pid	Process
4452	unsecapp.exe
4084	unsecapp.exe
1488	unsecapp.exe
5044	unsecapp.exe
3324	unsecapp.exe
1736	unsecapp.exe
3820	unsecapp.exe
3252	unsecapp.exe
2096	unsecapp.exe
2388	unsecapp.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXC5BC.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\27d1bcfc3c54e0	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\1ed22f03789fd4	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC348.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\System.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\29c1c3cc0f7685	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXC0C7.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXC5BB.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXC0C6.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\System.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC3B7.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\6ccacd8608530f	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Tasks\sysmon.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\RCXBC0E.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\RCXBC0F.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\RCXC7D1.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Tasks\121e5b5079f7c0	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\RCXC7D0.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\sysmon.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3836	schtasks.exe
1636	schtasks.exe
3896	schtasks.exe
3496	schtasks.exe
3568	schtasks.exe
4392	schtasks.exe
1736	schtasks.exe
4908	schtasks.exe
1432	schtasks.exe
2512	schtasks.exe
1460	schtasks.exe
324	schtasks.exe
4324	schtasks.exe
2608	schtasks.exe
4012	schtasks.exe
2296	schtasks.exe
1364	schtasks.exe
4516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1208	powershell.exe
1208	powershell.exe
1784	powershell.exe
1784	powershell.exe
3404	powershell.exe
3404	powershell.exe
1148	powershell.exe
1148	powershell.exe
2824	powershell.exe
2824	powershell.exe
2764	powershell.exe
2764	powershell.exe
908	powershell.exe
908	powershell.exe
3832	powershell.exe
3832	powershell.exe
4552	powershell.exe
4552	powershell.exe
1608	powershell.exe
1608	powershell.exe
756	powershell.exe
756	powershell.exe
2824	powershell.exe
3404	powershell.exe
1208	powershell.exe
1784	powershell.exe
2764	powershell.exe
1148	powershell.exe
4552	powershell.exe
3832	powershell.exe
908	powershell.exe
1608	powershell.exe
756	powershell.exe
4452	unsecapp.exe
4452	unsecapp.exe
4452	unsecapp.exe
4452	unsecapp.exe
4452	unsecapp.exe
4452	unsecapp.exe
4452	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	4452	unsecapp.exe
Token: SeDebugPrivilege	4084	unsecapp.exe
Token: SeDebugPrivilege	1488	unsecapp.exe
Token: SeDebugPrivilege	5044	unsecapp.exe
Token: SeDebugPrivilege	3324	unsecapp.exe
Token: SeDebugPrivilege	1736	unsecapp.exe
Token: SeDebugPrivilege	3820	unsecapp.exe
Token: SeDebugPrivilege	3252	unsecapp.exe
Token: SeDebugPrivilege	2096	unsecapp.exe
Token: SeDebugPrivilege	2388	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 756	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	103
PID 1032 wrote to memory of 756	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	103
PID 1032 wrote to memory of 908	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	104
PID 1032 wrote to memory of 908	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	104
PID 1032 wrote to memory of 1784	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	105
PID 1032 wrote to memory of 1784	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	105
PID 1032 wrote to memory of 2824	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	106
PID 1032 wrote to memory of 2824	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	106
PID 1032 wrote to memory of 4552	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	107
PID 1032 wrote to memory of 4552	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	107
PID 1032 wrote to memory of 2764	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	108
PID 1032 wrote to memory of 2764	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	108
PID 1032 wrote to memory of 1208	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	109
PID 1032 wrote to memory of 1208	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	109
PID 1032 wrote to memory of 1148	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	110
PID 1032 wrote to memory of 1148	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	110
PID 1032 wrote to memory of 3404	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	111
PID 1032 wrote to memory of 3404	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	111
PID 1032 wrote to memory of 1608	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	112
PID 1032 wrote to memory of 1608	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	112
PID 1032 wrote to memory of 3832	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	113
PID 1032 wrote to memory of 3832	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	113
PID 1032 wrote to memory of 2660	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	125
PID 1032 wrote to memory of 2660	1032	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	125
PID 2660 wrote to memory of 2560	2660	cmd.exe	127
PID 2660 wrote to memory of 2560	2660	cmd.exe	127
PID 2660 wrote to memory of 4452	2660	cmd.exe	129
PID 2660 wrote to memory of 4452	2660	cmd.exe	129
PID 4452 wrote to memory of 2284	4452	unsecapp.exe	131
PID 4452 wrote to memory of 2284	4452	unsecapp.exe	131
PID 4452 wrote to memory of 4988	4452	unsecapp.exe	132
PID 4452 wrote to memory of 4988	4452	unsecapp.exe	132
PID 2284 wrote to memory of 4084	2284	WScript.exe	141
PID 2284 wrote to memory of 4084	2284	WScript.exe	141
PID 4084 wrote to memory of 3588	4084	unsecapp.exe	143
PID 4084 wrote to memory of 3588	4084	unsecapp.exe	143
PID 4084 wrote to memory of 4004	4084	unsecapp.exe	144
PID 4084 wrote to memory of 4004	4084	unsecapp.exe	144
PID 3588 wrote to memory of 1488	3588	WScript.exe	153
PID 3588 wrote to memory of 1488	3588	WScript.exe	153
PID 1488 wrote to memory of 532	1488	unsecapp.exe	155
PID 1488 wrote to memory of 532	1488	unsecapp.exe	155
PID 1488 wrote to memory of 4276	1488	unsecapp.exe	156
PID 1488 wrote to memory of 4276	1488	unsecapp.exe	156
PID 532 wrote to memory of 5044	532	WScript.exe	157
PID 532 wrote to memory of 5044	532	WScript.exe	157
PID 5044 wrote to memory of 4476	5044	unsecapp.exe	159
PID 5044 wrote to memory of 4476	5044	unsecapp.exe	159
PID 5044 wrote to memory of 1836	5044	unsecapp.exe	160
PID 5044 wrote to memory of 1836	5044	unsecapp.exe	160
PID 4476 wrote to memory of 3324	4476	WScript.exe	163
PID 4476 wrote to memory of 3324	4476	WScript.exe	163
PID 3324 wrote to memory of 3444	3324	unsecapp.exe	165
PID 3324 wrote to memory of 3444	3324	unsecapp.exe	165
PID 3324 wrote to memory of 4572	3324	unsecapp.exe	166
PID 3324 wrote to memory of 4572	3324	unsecapp.exe	166
PID 3444 wrote to memory of 1736	3444	WScript.exe	167
PID 3444 wrote to memory of 1736	3444	WScript.exe	167
PID 1736 wrote to memory of 3572	1736	unsecapp.exe	169
PID 1736 wrote to memory of 3572	1736	unsecapp.exe	169
PID 1736 wrote to memory of 4748	1736	unsecapp.exe	170
PID 1736 wrote to memory of 4748	1736	unsecapp.exe	170
PID 3572 wrote to memory of 3820	3572	WScript.exe	171
PID 3572 wrote to memory of 3820	3572	WScript.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
"C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o2dZaecEWA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2560
- - C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
    "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01cd3a37-a083-4812-96ea-4e04e904e25d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75de7d15-0ffc-4e09-9d94-0a8c2e8509c7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f369b80d-0c27-4a50-a994-7e8f2600f0db.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fef5454-273f-4b50-982a-ed8842af5e50.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9afc2234-edf2-4466-9aff-8c576a5f7fdb.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\121c98f1-4e64-4040-86ec-c2ff1cf3fe58.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\565cd565-e73a-4de5-a409-e05ead17b5be.vbs"
        16⤵
        
        PID:2876
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7816b80-e7ea-4c1e-b221-0df302a1d38a.vbs"
        18⤵
        
        PID:2148
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1b9b0db-1c3e-44d5-aec2-4ab165957674.vbs"
        20⤵
        
        PID:2680
        
        C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f9555b7-b087-4f91-96a8-1c950f768e46.vbs"
        22⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b4f9f9f-ebca-4b25-ac7c-ef4b4df08b68.vbs"
        22⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dce23bb-76b5-4750-a29a-d8c20a47de56.vbs"
        20⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c22965fa-86ca-4ddc-ad8f-b273fb59d403.vbs"
        18⤵
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c55a0830-fe3d-4854-811e-37b0d49e147b.vbs"
        16⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03abb376-0926-4131-b56a-ec77310ab8e2.vbs"
        14⤵
        
        PID:4748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f15cc322-6fb4-4be2-8586-0fabeb7ce9fd.vbs"
        12⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d573eeea-bea3-4faf-aecd-4ce26f8b4f53.vbs"
        10⤵
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3040b0e0-243b-4c51-8785-1660f6c6b003.vbs"
        8⤵
        
        PID:4276
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641b7c70-ff11-4403-ae7c-67f667c9e662.vbs"
        6⤵
        
        PID:4004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\485860ed-73c0-4b40-8a3a-b1659c239ee3.vbs"
      4⤵
      PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\unsecapp.exe

Filesize
1.7MB

MD5
92f20cf5b97297600b5272178b6534c7

SHA1
3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625

SHA256
abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

SHA512
81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\01cd3a37-a083-4812-96ea-4e04e904e25d.vbs

Filesize
729B

MD5
62a814565d7d495c51e6f23e0d4183b3

SHA1
6355b9c3460cf5c56c4ab9ce428a478ee75fbd28

SHA256
67f2b1b1014cf5335e410071f414d9cac82bd64d14121ea6ae6c4cbeb183dd46

SHA512
8118fc1a71a9c1534df7a03cdb8214b56ba52d14b2cce77bc80ec9fc46e737639689ce1d08076de90d50c4f2a4dc7ef7234b516c4799546115719caf12f194be

Download Submit
C:\Users\Admin\AppData\Local\Temp\121c98f1-4e64-4040-86ec-c2ff1cf3fe58.vbs

Filesize
729B

MD5
8e16e6daf71126bb20bfe663a3b483c6

SHA1
b8f81d5745647ee2ab76e2d56cd9f468b2499cac

SHA256
7dd1c2162779c6e710b32dc99e4dff1176365fff5dc3ef1aae898b20bfc371da

SHA512
d0e02bfa9f2224d6d06c966ab03095ed159f458d24e4d5deed14e8bc47a4b28f6de0f9192ee73711b3309d7c9820fa85f42d717996315f01b818ba972f5fd55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\485860ed-73c0-4b40-8a3a-b1659c239ee3.vbs

Filesize
505B

MD5
3e8639b9bd8a0ca05ddb41cb921fba69

SHA1
d8e3779d02b0600c53ca6cc4016f9f8845921cc7

SHA256
7fd8088e2b543fd92239f9b114255644771c93f402621cffb3e23414533d2e18

SHA512
56861bb70cb46bed05fa6d16870f536419dbfa2b323b1b0a2e687acba72f6cfbc6b163788863ff57010b40a706df07838279a0c38713d6fc32690037fe3bfeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9555b7-b087-4f91-96a8-1c950f768e46.vbs

Filesize
729B

MD5
af655725a619a0ccfbbbb116f55818e2

SHA1
8453412e9898df74f078a77c7922f2b42da78c29

SHA256
69e012e90dac6ca4fb45c19a31924807343b9d2d242c1fbf0365643abb4935d3

SHA512
289a49f303b1b02f79305e214f524579f0e63d2ebbffaf9df0b29273c06e322c897273e8bda2830ef695b71ba41d5fd3c1271c1c706378e05711706951b3fae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fef5454-273f-4b50-982a-ed8842af5e50.vbs

Filesize
729B

MD5
ff8344ad82b7b69e78d5e23216a49c37

SHA1
a7c529162a70ad5dafcb755ec6efba4ee2c6bb3b

SHA256
d258e33de735d178c843530a6e006bfc28016fe531607768b7dfa34b2c72edad

SHA512
6a6349629252d0e77a53b79bbb457b3bbf4eb0967655a82ab83595e1f2c36e3c39e247b1d92647ce40fb3e1d981e5ac841d8939b6994cc4a270d3f0a637ae2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\565cd565-e73a-4de5-a409-e05ead17b5be.vbs

Filesize
729B

MD5
a06ecbe0d3c4543826da4685bed33199

SHA1
12b90e425bf4cf83434bf8636f7d949e13489d52

SHA256
35c0d2d81e4c92e0444cb077d514b6bc49229a57d27318d4679e2c83e229e03c

SHA512
c47d6d3a212dbd2ed9cc7e8b9d6b0d8350cb0ddb575b006958c3fd7d5c6260a4887fcce965e5f5ee94de3a0ceda8a469d8592133dce6f20949095d22bdd95c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\75de7d15-0ffc-4e09-9d94-0a8c2e8509c7.vbs

Filesize
729B

MD5
608ff6ecadfaab05751f7ae020f25ed8

SHA1
e4ab739c821f2ef325398b792f210a948a22b35b

SHA256
3ebe77639b9792a398c36e51928bbb6a5deffb3ecfa3deba7cef053c0d11e165

SHA512
3abb194a24b5f93e8e6d847aeda005f56b62f06984fc5cd29712def58b9ea56d5c7030105109082e155c8423b15363fe2e1d34cbb423d21892c839b2ef852e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\9afc2234-edf2-4466-9aff-8c576a5f7fdb.vbs

Filesize
729B

MD5
80dd57af65ff5df1078ff011b3792560

SHA1
541083fc5f52edcbb465a85b52ed0da0dfc074f8

SHA256
628f96473a81abfc7c7c1bfede091ccdadc61f0710a097f118f34864b2b5ddc4

SHA512
07efef53e3ca20c3b6355e7fe120d4fad15601327ad898bc85e381d880502a04bef197ee2dd992a8b2ecd531bfcfe7f00a1e71225697556b22e1d9525a8c3def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtcuxdnw.n32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7816b80-e7ea-4c1e-b221-0df302a1d38a.vbs

Filesize
729B

MD5
a9956f103a6984efe78ef4ce364c5109

SHA1
801da0151f9999457d15246b257279e958bf8b93

SHA256
bd5746a6d9b8d8f513fad375d83e2c0c6d0c65bc05981be8be361f04fa228ccc

SHA512
5e5424abbd0e4b5d19aaa3c44acda1c530f6a71ca6a90e0261f66d51af6a90d8ea866aa31237e417d677b94a533699fdfd6ab1b51ea85f1c36223eb18fd6f620

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1b9b0db-1c3e-44d5-aec2-4ab165957674.vbs

Filesize
729B

MD5
9ae98d881bdb7647db42ffd450bd1625

SHA1
368b126e1ebff5c47a3460054c4aa076e18beb4f

SHA256
fcf19360764602aeb3cb0ce55fb85e93fc0939257d04912d4d53ebd5f7cc4e63

SHA512
4a20834c012f10af236f148a3857fa151d7541163bfd9203c97b49429999c0eae2adb3d2a875e19db9a967c1ef38c3420634df781df7964057da126e2e6b0701

Download Submit
C:\Users\Admin\AppData\Local\Temp\f369b80d-0c27-4a50-a994-7e8f2600f0db.vbs

Filesize
729B

MD5
a36ff7f57717d65fa9f1e24103366503

SHA1
80544b9e0816ce70e8135f4331f4c10b8b8d3043

SHA256
0fa57b4c3e544febfa868a0bccb0ff02a6df09d3995e5876b74fcc50c12d23dd

SHA512
c4467580219f36de1a5eccfd2151f53d9da5322375ee46a1f4d66e5ed11227862b4844992e38a0ffb1fb0492e1f1bfa799f484fe6a53b8372cdeb3e44bb3ad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2dZaecEWA.bat

Filesize
218B

MD5
d4f80019657ce2a0ac0b2151ed5767e5

SHA1
132242fb6e752c9b503847912d662fea2fc56cfb

SHA256
c135df44d2466e5fe57ce46171379b230836fd4ea9a888425a8bcfcd17bca470

SHA512
831d3aee67fc627941d05aaff424b018e93cfaf5a53aec127ae7420c40c091994bd47ab2f21e8e90f3f2ddda3fb70797604f27cbd453f5eb95bddffcc62be966

Download Submit
C:\Users\Default\services.exe

Filesize
1.7MB

MD5
a51ade51fe56f7b14fdb61f495e4e80b

SHA1
65fc13af69ee35dcbd29a111a49e34a012404a98

SHA256
17d7e0f222e17462723d8fdfd497a87ed423cc3160500ff3da243f6bfcd88ee2

SHA512
e5751d4b47da55737d22950c910d2dcecc2e1433180d54b1dda51ac52a5b7749a061edb446f413af48967e0e9fa8c37f42836965a2f727eccff7f853dd5fb02f

Download Submit
memory/1032-12-0x000000001B730000-0x000000001B742000-memory.dmp

Filesize
72KB

Download
memory/1032-22-0x00007FFA03C40000-0x00007FFA04701000-memory.dmp

Filesize
10.8MB

Download
memory/1032-0-0x00007FFA03C43000-0x00007FFA03C45000-memory.dmp

Filesize
8KB

Download
memory/1032-120-0x00007FFA03C40000-0x00007FFA04701000-memory.dmp

Filesize
10.8MB

Download
memory/1032-10-0x000000001B720000-0x000000001B728000-memory.dmp

Filesize
32KB

Download
memory/1032-19-0x000000001B890000-0x000000001B89C000-memory.dmp

Filesize
48KB

Download
memory/1032-16-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

Filesize
56KB

Download
memory/1032-9-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/1032-18-0x000000001B880000-0x000000001B88C000-memory.dmp

Filesize
48KB

Download
memory/1032-15-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

Filesize
40KB

Download
memory/1032-14-0x000000001B760000-0x000000001B76C000-memory.dmp

Filesize
48KB

Download
memory/1032-13-0x000000001BC90000-0x000000001C1B8000-memory.dmp

Filesize
5.2MB

Download
memory/1032-23-0x00007FFA03C40000-0x00007FFA04701000-memory.dmp

Filesize
10.8MB

Download
memory/1032-1-0x0000000000280000-0x0000000000440000-memory.dmp

Filesize
1.8MB

Download
memory/1032-17-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/1032-8-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/1032-2-0x00007FFA03C40000-0x00007FFA04701000-memory.dmp

Filesize
10.8MB

Download
memory/1032-7-0x000000001B690000-0x000000001B6A6000-memory.dmp

Filesize
88KB

Download
memory/1032-3-0x000000001AF00000-0x000000001AF1C000-memory.dmp

Filesize
112KB

Download
memory/1032-4-0x000000001B6C0000-0x000000001B710000-memory.dmp

Filesize
320KB

Download
memory/1032-5-0x000000001B670000-0x000000001B678000-memory.dmp

Filesize
32KB

Download
memory/1032-6-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/1208-119-0x000001ADF6050000-0x000001ADF6072000-memory.dmp

Filesize
136KB

Download
memory/3324-286-0x0000000002E40000-0x0000000002E52000-memory.dmp

Filesize
72KB

Download
memory/5044-274-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

Filesize
72KB

Download