dcrat | 12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1d

Analysis

max time kernel
109s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
Size

2.5MB
MD5

7bdee2ee81daa1a7302df82cb929de40
SHA1

3b644a36dc0d7f866ac54ea4a50ea3f6f5e0750f
SHA256

12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1d
SHA512

380af22a3b3dc215586a17ea7a1e290d059f3c02671d59d1fd3ecc6b63ca4d92d1cb190aeaf32e9096a50f71317a3cd3a71d9cb5e9aff2c9d2b29a2166bce89a
SSDEEP

49152:BTmiAznN8OLA03GMjKoZYz+WqE3GMAsH4wDnyBMzTvAaULscNpVQPUmXq:0iAzSOLA0cooNrkSD6brVl

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	5104	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	5104	schtasks.exe	88

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2920-13-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3112	powershell.exe
3792	powershell.exe
4688	powershell.exe
4640	powershell.exe
1036	powershell.exe
2136	powershell.exe
1600	powershell.exe
4388	powershell.exe
3744	powershell.exe
2264	powershell.exe
1540	powershell.exe
3884	powershell.exe
5064	powershell.exe
1028	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe

Executes dropped EXE 2 IoCs

pid	Process
5540	unsecapp.exe
6028	unsecapp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 5540 set thread context of 6028	5540	unsecapp.exe	173

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\sppsvc.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX39C1.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Mail\SearchApp.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Google\Chrome\Application\sppsvc.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Google\Chrome\Application\0a1fd5f707cd16	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX33F1.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX3634.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Mail\RCX3DEC.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Mail\SearchApp.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6ccacd8608530f	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX3943.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Mail\RCX3DEB.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX47C5.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Mail\38384e6a620884	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX3710.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX33E0.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX4747.tmp	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unsecapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unsecapp.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2160	schtasks.exe
1596	schtasks.exe
3560	schtasks.exe
4296	schtasks.exe
4536	schtasks.exe
4776	schtasks.exe
116	schtasks.exe
2832	schtasks.exe
3388	schtasks.exe
4412	schtasks.exe
4988	schtasks.exe
876	schtasks.exe
1872	schtasks.exe
2476	schtasks.exe
1544	schtasks.exe
2428	schtasks.exe
3888	schtasks.exe
4328	schtasks.exe
1516	schtasks.exe
2260	schtasks.exe
2292	schtasks.exe
3452	schtasks.exe
5012	schtasks.exe
1056	schtasks.exe
4584	schtasks.exe
1760	schtasks.exe
1876	schtasks.exe
1804	schtasks.exe
3968	schtasks.exe
3928	schtasks.exe
2480	schtasks.exe
2012	schtasks.exe
1392	schtasks.exe
3500	schtasks.exe
4020	schtasks.exe
1428	schtasks.exe
4828	schtasks.exe
3512	schtasks.exe
4612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
4688	powershell.exe
3884	powershell.exe
4688	powershell.exe
3884	powershell.exe
3792	powershell.exe
3792	powershell.exe
1540	powershell.exe
1540	powershell.exe
2136	powershell.exe
2136	powershell.exe
3112	powershell.exe
3112	powershell.exe
5064	powershell.exe
5064	powershell.exe
1600	powershell.exe
1600	powershell.exe
2264	powershell.exe
2264	powershell.exe
4640	powershell.exe
4640	powershell.exe
1028	powershell.exe
1028	powershell.exe
4388	powershell.exe
4388	powershell.exe
1036	powershell.exe
1036	powershell.exe
3744	powershell.exe
3744	powershell.exe
3112	powershell.exe
3792	powershell.exe
1540	powershell.exe
3884	powershell.exe
1028	powershell.exe
2136	powershell.exe
1036	powershell.exe
1600	powershell.exe
4688	powershell.exe
3744	powershell.exe
5064	powershell.exe
2264	powershell.exe
4640	powershell.exe
4388	powershell.exe
6028	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	6028	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 3040 wrote to memory of 2920	3040	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	99
PID 2920 wrote to memory of 2136	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	139
PID 2920 wrote to memory of 2136	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	139
PID 2920 wrote to memory of 2136	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	139
PID 2920 wrote to memory of 1540	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	140
PID 2920 wrote to memory of 1540	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	140
PID 2920 wrote to memory of 1540	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	140
PID 2920 wrote to memory of 1028	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	141
PID 2920 wrote to memory of 1028	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	141
PID 2920 wrote to memory of 1028	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	141
PID 2920 wrote to memory of 3884	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	142
PID 2920 wrote to memory of 3884	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	142
PID 2920 wrote to memory of 3884	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	142
PID 2920 wrote to memory of 2264	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	143
PID 2920 wrote to memory of 2264	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	143
PID 2920 wrote to memory of 2264	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	143
PID 2920 wrote to memory of 3112	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	145
PID 2920 wrote to memory of 3112	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	145
PID 2920 wrote to memory of 3112	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	145
PID 2920 wrote to memory of 1036	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	146
PID 2920 wrote to memory of 1036	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	146
PID 2920 wrote to memory of 1036	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	146
PID 2920 wrote to memory of 4640	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	148
PID 2920 wrote to memory of 4640	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	148
PID 2920 wrote to memory of 4640	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	148
PID 2920 wrote to memory of 1600	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	149
PID 2920 wrote to memory of 1600	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	149
PID 2920 wrote to memory of 1600	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	149
PID 2920 wrote to memory of 3792	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	150
PID 2920 wrote to memory of 3792	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	150
PID 2920 wrote to memory of 3792	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	150
PID 2920 wrote to memory of 3744	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	151
PID 2920 wrote to memory of 3744	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	151
PID 2920 wrote to memory of 3744	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	151
PID 2920 wrote to memory of 4388	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	152
PID 2920 wrote to memory of 4388	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	152
PID 2920 wrote to memory of 4388	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	152
PID 2920 wrote to memory of 5064	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	154
PID 2920 wrote to memory of 5064	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	154
PID 2920 wrote to memory of 5064	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	154
PID 2920 wrote to memory of 4688	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	155
PID 2920 wrote to memory of 4688	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	155
PID 2920 wrote to memory of 4688	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	155
PID 2920 wrote to memory of 1432	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	167
PID 2920 wrote to memory of 1432	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	167
PID 2920 wrote to memory of 1432	2920	12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe	167
PID 1432 wrote to memory of 3924	1432	cmd.exe	169
PID 1432 wrote to memory of 3924	1432	cmd.exe	169
PID 1432 wrote to memory of 3924	1432	cmd.exe	169
PID 3924 wrote to memory of 4000	3924	w32tm.exe	170
PID 3924 wrote to memory of 4000	3924	w32tm.exe	170
PID 1432 wrote to memory of 5540	1432	cmd.exe	172
PID 1432 wrote to memory of 5540	1432	cmd.exe	172
PID 1432 wrote to memory of 5540	1432	cmd.exe	172
PID 5540 wrote to memory of 6028	5540	unsecapp.exe	173
PID 5540 wrote to memory of 6028	5540	unsecapp.exe	173
PID 5540 wrote to memory of 6028	5540	unsecapp.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
"C:\Users\Admin\AppData\Local\Temp\12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe
  "C:\Users\Admin\AppData\Local\Temp\12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\SearchApp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7XDWEJg9xY.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4000
  - - C:\Users\Public\unsecapp.exe
      "C:\Users\Public\unsecapp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5540
    - - C:\Users\Public\unsecapp.exe
        
        "C:\Users\Public\unsecapp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\USOShared\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe

Filesize
2.5MB

MD5
8fd29d1680f88dc90328c48ebe932e4b

SHA1
52560de2d483ea13770f53409ef319d3081cb85e

SHA256
bb56394ac6b1ecec7da403c040b387d12e85d3077ba140a4b97416075ce61c7b

SHA512
bc349456bfc6a11aaf0ea38628912a4fe2292a018d41764226adff958d067204d0d962eea3735b4d6c2679f72114e0b66332ce278ea659cfacfbe3673aeef91e

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe

Filesize
2.5MB

MD5
279c6fc641b1e80904c17f18129a7622

SHA1
c98e57ddae8e8b72e849866101e44e90fd63367d

SHA256
4a24f7d85c0a8923063505816d19f8a8ffb67b69aaf63630c381041a5e0f426d

SHA512
0ce8016655ea37b7f8c9d47663d68a5bd588f6731d72dad639ca5e8f5b0adf97a98a4e66b9ab777086df89a1590c1aff9de4bfadfa1f9ecf2e46c6e0d31a660b

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Filesize
2.5MB

MD5
bb0aff1ad763b1833b0573f8807c6fbf

SHA1
a71f6da0564226cd796dffe6456bea4624f748d3

SHA256
0c42d8472bd277dbf8092767ba59e666fc19b1cf662b3af144bf825127c82325

SHA512
ca002e7d188686eb3c3c71446ffab4af0ca6775e9f5e7c2aead7fef268499ab9a65e43995177befd28774c9fd7a72e485ac465ba4b6407a7246ea439b96fc353

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
2.5MB

MD5
2e3d204de7281589d14b3ae23ad037c2

SHA1
b0ee11a037deb2d8f34242aafe8e72e80a549267

SHA256
39e38e3974b9110b8e61de54479d7091897fb4c2d0ff134479b1ae795230786b

SHA512
a4cf638c953a40d48c75189ed314aed9b952ce30c9c11745d96c9982a4f786f5a9da1ba1905def37d5fa448e935ac60604324db75a040f2127fa6cb5c25d9eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1dN.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d7a8e7b3a9c0a396db0e6506142ff853

SHA1
291a94006f8709d488d74cdfe06e64d9bf1f7e4f

SHA256
5b17eeda387068acdf3ed50db4bca11698b6c2c50c16b34af9969ca2681c3c7f

SHA512
0f9f56566c4f32a24d8368069cf7c7fc280f20c5f266db9fc1377d5d0388eb0fb08040511e37cc836025333998deb8c6c30eb5305628c7fa51d7cae6131072e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e34e4cc643ee7077433a8ae48e1229a8

SHA1
2a089df15307df511525a12d978a60dc53730473

SHA256
c49df76018a272b043fa58f53c4486f2c5e23d7643c509dee7be954f2e07fa9d

SHA512
4d886aa611f5b10d5c6abd07ccbe69d54d9d5e8c2c292771c8dfe79bd06afafe2d2453ac61314b6c6d1a1a402db90d02c03e091a4acd1de739c11c955dcd14ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
38f594687e7de1db0864a2d9ee2e6f5b

SHA1
fd1b470b4ef73259c05068959454f2f7a12268e8

SHA256
0321452d511a37db2d2cb51bf4901707c6da159c33bd117993a405888601e8f6

SHA512
320752a1416c688cfec4ea8593caa852b7c5263727f932756e368be60688d0e6e8d7a9485165bd68971428d2db642b35136cb0eed9f70603ae751e11f44cfb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c66b59353a58e044590e38ea3c510e54

SHA1
b0e6e07b0455a1a39c64f40690caaa403739eb69

SHA256
15c2a5b46fd1dd96d1567aa9d30e75e8b3d4fa427e2082258e9763c93718e84c

SHA512
05c540ffa6da1b93313a465875e8de8a7cffc1c36eb207e9e687dc39b8183494eadd89cee525c968dd19b6bd5080b9b11e6575b8b851cc38cc60bf5b34b1ea55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
893fbb2c314eb64640053fd507350955

SHA1
4d2f2334fe012be7594f646b5720566ff04fa572

SHA256
de488fdda58314e6187e593761c098b793b83962bbc37edf9a30eedd780e1fe4

SHA512
1988b6fdf31adef8b414f25df8201b32a152ceb43ab9996f9b0f9eecf6e47cd294ad836c303608dbc530dafadafc24bf4a1d95843015eb71c97f1760349d35c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
492abc8d011d754166695759a8676d13

SHA1
70fb4240ade970173ac1dcc96a84d99a9a2d5ebb

SHA256
e2646e3e4a11bfd931746dec671cc0a89e23bb3d8b0d9a845d498cdd11d6772f

SHA512
9887bd403ac733564e86004071d4b359787716e64ffcfc8013a9c3eea45b742e631bb268d96c41cec683d7b833aad4bbc26588712cc6825832ffad27669dc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
73c421a40f6797bdb8f5f14bcf5fc2fa

SHA1
fbaf6961004678e0df8c9615d6489d80bbaa28b3

SHA256
4889eb1d834b484907a08ac963d5ea1e34a4f80a2adb28a0c4d492b153a66709

SHA512
e2a23f100af22bb03f481794429fe0bc56584e66442677a727999553467df3b8237cbfc38bbc4e7e3b1c0b4c523a7e95582472def8088d840c2ca07f63b6d0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9dee76b215c7baf5efb7635b91b2485e

SHA1
3e0b7d575eef9cdad183747dc20d739b65b48ac7

SHA256
9a002201dbcd66f3ef505c0f6712cfb197968493339f11852f3fc4af3c32432f

SHA512
42b1fd84605c071f181dea0db073040dc6514ddd77e4625d908cc3f7b2d11b4adcf3a0796d1eb412edec2f69015de4f0cd8f9e375622e0878af387d9079329bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7XDWEJg9xY.bat

Filesize
193B

MD5
3c82797b330ad67e3b52765dde4c50fe

SHA1
767d20ccdbc0f945861ed4906849d57646b4faab

SHA256
35aa2824e6f0cc84735010c192a24a950dffe5d084f4cb2b7c7b842bcc7a4594

SHA512
99e4b5440b7e0d46d3978bf07ed0a304ce591b60abf5caf5bea6dee548d79fe1e4680470069b047b8f523676ee3f047c83db6ffcb007faa61d2409abb08ae941

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1njfw43z.y1h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
2.5MB

MD5
7beb02f0c24e5d4d0d14ff496922a5b1

SHA1
4972b43b74505866647cd784f35f8ed1bc952531

SHA256
541fa258b0d2849a0dfc958a5ffdfd45d737e879b84af9b8ecad4efe6ee81d01

SHA512
6cfa914341cc7243649d4ff8657b82f498392f1ff6443e34175120c0ec132eaf5d558ac4202e1cd701dc4270a2892be6a80abb52741a58e7b37e4d949ec916ae

Download Submit
C:\Users\Default\Favorites\StartMenuExperienceHost.exe

Filesize
2.5MB

MD5
5e923adc7948f1dc5250cdec6fadc469

SHA1
6866f350c69002a54b6405d8579fd0f75a34b23f

SHA256
448f82e98ef7e30f35d031faa49b18a8203061bfc123bc6dfb83bfe0846ed02a

SHA512
35626b3ed6f1db29c09b3c8fd8904b0d66b21a41bc82d4c5ed2578b4691290f0426242aa158dc8b7f190e4c95933f27f67d16cbc1a7f0b44fa2790f5993696e7

Download Submit
C:\Users\Public\unsecapp.exe

Filesize
2.5MB

MD5
7bdee2ee81daa1a7302df82cb929de40

SHA1
3b644a36dc0d7f866ac54ea4a50ea3f6f5e0750f

SHA256
12b4390b9cc5cbe0a55742e6263d2733c4b97006817325b5e6c4d4da85ac6b1d

SHA512
380af22a3b3dc215586a17ea7a1e290d059f3c02671d59d1fd3ecc6b63ca4d92d1cb190aeaf32e9096a50f71317a3cd3a71d9cb5e9aff2c9d2b29a2166bce89a

Download Submit
memory/1028-434-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/1036-490-0x0000000007230000-0x000000000723E000-memory.dmp

Filesize
56KB

Download
memory/1036-488-0x0000000007250000-0x00000000072E6000-memory.dmp

Filesize
600KB

Download
memory/1036-372-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/1036-491-0x00000000072F0000-0x0000000007304000-memory.dmp

Filesize
80KB

Download
memory/1036-492-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/1036-493-0x0000000007310000-0x0000000007318000-memory.dmp

Filesize
32KB

Download
memory/1540-352-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/1600-414-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/2136-393-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/2264-204-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/2264-373-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/2920-21-0x00000000017E0000-0x00000000017F0000-memory.dmp

Filesize
64KB

Download
memory/2920-206-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2920-23-0x0000000006140000-0x0000000006196000-memory.dmp

Filesize
344KB

Download
memory/2920-186-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2920-22-0x0000000001800000-0x0000000001816000-memory.dmp

Filesize
88KB

Download
memory/2920-24-0x0000000005B40000-0x0000000005B4E000-memory.dmp

Filesize
56KB

Download
memory/2920-17-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2920-162-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2920-25-0x0000000006190000-0x000000000619C000-memory.dmp

Filesize
48KB

Download
memory/2920-20-0x00000000060F0000-0x0000000006140000-memory.dmp

Filesize
320KB

Download
memory/2920-19-0x00000000017B0000-0x00000000017CC000-memory.dmp

Filesize
112KB

Download
memory/2920-18-0x00000000017A0000-0x00000000017A8000-memory.dmp

Filesize
32KB

Download
memory/2920-13-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2920-15-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2920-28-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/3040-16-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3040-4-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3040-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/3040-2-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/3040-5-0x0000000005C90000-0x0000000005C9A000-memory.dmp

Filesize
40KB

Download
memory/3040-1-0x0000000000F70000-0x00000000011F0000-memory.dmp

Filesize
2.5MB

Download
memory/3040-8-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3040-12-0x000000000C960000-0x000000000CB86000-memory.dmp

Filesize
2.1MB

Download
memory/3040-11-0x000000000B5B0000-0x000000000B64C000-memory.dmp

Filesize
624KB

Download
memory/3040-0-0x00000000751CE000-0x00000000751CF000-memory.dmp

Filesize
4KB

Download
memory/3040-10-0x000000000B2E0000-0x000000000B510000-memory.dmp

Filesize
2.2MB

Download
memory/3040-9-0x0000000005F60000-0x0000000005F6E000-memory.dmp

Filesize
56KB

Download
memory/3040-6-0x0000000005F40000-0x0000000005F5A000-memory.dmp

Filesize
104KB

Download
memory/3040-7-0x00000000751CE000-0x00000000751CF000-memory.dmp

Filesize
4KB

Download
memory/3112-351-0x0000000007310000-0x00000000073B3000-memory.dmp

Filesize
652KB

Download
memory/3112-413-0x0000000007A90000-0x000000000810A000-memory.dmp

Filesize
6.5MB

Download
memory/3112-424-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/3112-350-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3112-484-0x00000000074D0000-0x00000000074DA000-memory.dmp

Filesize
40KB

Download
memory/3112-340-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3112-489-0x0000000007660000-0x0000000007671000-memory.dmp

Filesize
68KB

Download
memory/3112-339-0x00000000066F0000-0x0000000006722000-memory.dmp

Filesize
200KB

Download
memory/3112-338-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/3112-337-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/3744-454-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3792-207-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/3792-362-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3792-227-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/3792-213-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3884-392-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3884-202-0x0000000004B80000-0x0000000004BB6000-memory.dmp

Filesize
216KB

Download
memory/4388-474-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/4640-444-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/4688-394-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/5064-464-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download