dcrat | f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Size

1.1MB
MD5

007c92b8ad2188efb216f2699a386238
SHA1

c780a61bde93f59fa404ed217707f99e86f0c1fd
SHA256

f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc
SHA512

df65a0fb78ec1453921c8861f73d6dc8379797646d6aa66b7d20ea06bf7688fe4f009d720565c5075724a0da0d657b2bcdc5c4c0717e9ffcabf3d54123ce9e3b
SSDEEP

24576:U2G/nvxW3Ww0tSUtIrZBMreAydD8FVgMjt2:UbA30SaIrfAUD8rM

Score

10^/10

dcrat defense_evasion discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3760	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3760	schtasks.exe	91

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c5f-10.dat	dcrat
behavioral2/memory/1988-13-0x0000000000B00000-0x0000000000BD6000-memory.dmp	dcrat

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	componentMonitornet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 15 IoCs

pid	Process
1988	componentMonitornet.exe
1020	Registry.exe
744	Registry.exe
5012	Registry.exe
3176	Registry.exe
3180	Registry.exe
1164	Registry.exe
4800	Registry.exe
5060	Registry.exe
4004	Registry.exe
3928	Registry.exe
2196	Registry.exe
2192	Registry.exe
1288	Registry.exe
1040	Registry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
30	pastebin.com
61	pastebin.com
82	pastebin.com
29	pastebin.com
37	pastebin.com
38	pastebin.com
56	pastebin.com
42	pastebin.com
79	pastebin.com
80	pastebin.com
81	pastebin.com
83	pastebin.com
53	pastebin.com
54	pastebin.com
55	pastebin.com
62	pastebin.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\6ccacd8608530f	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\088424020bedd6	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	componentMonitornet.exe
File opened for modification	C:\Program Files\Uninstall Information\Registry.exe	componentMonitornet.exe
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382	componentMonitornet.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	componentMonitornet.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\Idle.exe	componentMonitornet.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\StartMenuExperienceHost.exe	componentMonitornet.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\55b276f4edf653	componentMonitornet.exe
File created	C:\Program Files\Uninstall Information\Registry.exe	componentMonitornet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\explorer.exe	componentMonitornet.exe
File created	C:\Windows\en-US\7a0fd90576e088	componentMonitornet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Registry.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
248	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
968	schtasks.exe
3056	schtasks.exe
1348	schtasks.exe
2252	schtasks.exe
2292	schtasks.exe
476	schtasks.exe
228	schtasks.exe
3084	schtasks.exe
1100	schtasks.exe
1976	schtasks.exe
5068	schtasks.exe
4480	schtasks.exe
744	schtasks.exe
1968	schtasks.exe
1176	schtasks.exe
2776	schtasks.exe
1388	schtasks.exe
5056	schtasks.exe
4380	schtasks.exe
4028	schtasks.exe
2224	schtasks.exe
1312	schtasks.exe
3008	schtasks.exe
2532	schtasks.exe
4424	schtasks.exe
2332	schtasks.exe
2632	schtasks.exe
4740	schtasks.exe
4136	schtasks.exe
4408	schtasks.exe
780	schtasks.exe
1128	schtasks.exe
1676	schtasks.exe
4160	schtasks.exe
3764	schtasks.exe
2228	schtasks.exe
3360	schtasks.exe
1708	schtasks.exe
1880	schtasks.exe
3148	schtasks.exe
1484	schtasks.exe
2588	schtasks.exe
4264	schtasks.exe
4004	schtasks.exe
888	schtasks.exe
3172	schtasks.exe
564	schtasks.exe
1864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1988	componentMonitornet.exe
1988	componentMonitornet.exe
1988	componentMonitornet.exe
1020	Registry.exe
744	Registry.exe
5012	Registry.exe
3176	Registry.exe
3180	Registry.exe
1164	Registry.exe
4800	Registry.exe
5060	Registry.exe
4004	Registry.exe
3928	Registry.exe
2196	Registry.exe
2192	Registry.exe
1288	Registry.exe
1040	Registry.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	componentMonitornet.exe
Token: SeDebugPrivilege	1020	Registry.exe
Token: SeDebugPrivilege	744	Registry.exe
Token: SeDebugPrivilege	5012	Registry.exe
Token: SeDebugPrivilege	3176	Registry.exe
Token: SeDebugPrivilege	3180	Registry.exe
Token: SeDebugPrivilege	1164	Registry.exe
Token: SeDebugPrivilege	4800	Registry.exe
Token: SeDebugPrivilege	5060	Registry.exe
Token: SeDebugPrivilege	4004	Registry.exe
Token: SeDebugPrivilege	3928	Registry.exe
Token: SeDebugPrivilege	2196	Registry.exe
Token: SeDebugPrivilege	2192	Registry.exe
Token: SeDebugPrivilege	1288	Registry.exe
Token: SeDebugPrivilege	1040	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4440	4812	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe	87
PID 4812 wrote to memory of 4440	4812	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe	87
PID 4812 wrote to memory of 4440	4812	f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe	87
PID 4440 wrote to memory of 3600	4440	WScript.exe	92
PID 4440 wrote to memory of 3600	4440	WScript.exe	92
PID 4440 wrote to memory of 3600	4440	WScript.exe	92
PID 3600 wrote to memory of 1988	3600	cmd.exe	94
PID 3600 wrote to memory of 1988	3600	cmd.exe	94
PID 1988 wrote to memory of 1020	1988	componentMonitornet.exe	143
PID 1988 wrote to memory of 1020	1988	componentMonitornet.exe	143
PID 3600 wrote to memory of 248	3600	cmd.exe	144
PID 3600 wrote to memory of 248	3600	cmd.exe	144
PID 3600 wrote to memory of 248	3600	cmd.exe	144
PID 1020 wrote to memory of 2512	1020	Registry.exe	146
PID 1020 wrote to memory of 2512	1020	Registry.exe	146
PID 2512 wrote to memory of 1460	2512	cmd.exe	148
PID 2512 wrote to memory of 1460	2512	cmd.exe	148
PID 2512 wrote to memory of 744	2512	cmd.exe	151
PID 2512 wrote to memory of 744	2512	cmd.exe	151
PID 744 wrote to memory of 4632	744	Registry.exe	152
PID 744 wrote to memory of 4632	744	Registry.exe	152
PID 4632 wrote to memory of 3656	4632	cmd.exe	154
PID 4632 wrote to memory of 3656	4632	cmd.exe	154
PID 4632 wrote to memory of 5012	4632	cmd.exe	155
PID 4632 wrote to memory of 5012	4632	cmd.exe	155
PID 5012 wrote to memory of 1880	5012	Registry.exe	157
PID 5012 wrote to memory of 1880	5012	Registry.exe	157
PID 1880 wrote to memory of 4264	1880	cmd.exe	159
PID 1880 wrote to memory of 4264	1880	cmd.exe	159
PID 1880 wrote to memory of 3176	1880	cmd.exe	161
PID 1880 wrote to memory of 3176	1880	cmd.exe	161
PID 3176 wrote to memory of 4132	3176	Registry.exe	162
PID 3176 wrote to memory of 4132	3176	Registry.exe	162
PID 4132 wrote to memory of 1040	4132	cmd.exe	164
PID 4132 wrote to memory of 1040	4132	cmd.exe	164
PID 4132 wrote to memory of 3180	4132	cmd.exe	166
PID 4132 wrote to memory of 3180	4132	cmd.exe	166
PID 3180 wrote to memory of 2776	3180	Registry.exe	167
PID 3180 wrote to memory of 2776	3180	Registry.exe	167
PID 2776 wrote to memory of 4144	2776	cmd.exe	169
PID 2776 wrote to memory of 4144	2776	cmd.exe	169
PID 2776 wrote to memory of 1164	2776	cmd.exe	170
PID 2776 wrote to memory of 1164	2776	cmd.exe	170
PID 1164 wrote to memory of 3980	1164	Registry.exe	171
PID 1164 wrote to memory of 3980	1164	Registry.exe	171
PID 3980 wrote to memory of 4068	3980	cmd.exe	173
PID 3980 wrote to memory of 4068	3980	cmd.exe	173
PID 3980 wrote to memory of 4800	3980	cmd.exe	174
PID 3980 wrote to memory of 4800	3980	cmd.exe	174
PID 4800 wrote to memory of 5056	4800	Registry.exe	175
PID 4800 wrote to memory of 5056	4800	Registry.exe	175
PID 5056 wrote to memory of 4136	5056	cmd.exe	177
PID 5056 wrote to memory of 4136	5056	cmd.exe	177
PID 5056 wrote to memory of 5060	5056	cmd.exe	178
PID 5056 wrote to memory of 5060	5056	cmd.exe	178
PID 5060 wrote to memory of 4460	5060	Registry.exe	180
PID 5060 wrote to memory of 4460	5060	Registry.exe	180
PID 4460 wrote to memory of 4264	4460	cmd.exe	182
PID 4460 wrote to memory of 4264	4460	cmd.exe	182
PID 4460 wrote to memory of 4004	4460	cmd.exe	183
PID 4460 wrote to memory of 4004	4460	cmd.exe	183
PID 4004 wrote to memory of 1572	4004	Registry.exe	184
PID 4004 wrote to memory of 1572	4004	Registry.exe	184
PID 1572 wrote to memory of 3008	1572	cmd.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe
"C:\Users\Admin\AppData\Local\Temp\f1eec0d8c323b0db81ee756d99d00020cf1f7602e4dc158b82c973e9fb5750fc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockdriverintoRefdhcp\zjUQC6Kcs7ptRMsTAo49SRrfh.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\blockdriverintoRefdhcp\IJdp5Y1jjSlcQsS9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\blockdriverintoRefdhcp\componentMonitornet.exe
      "C:\blockdriverintoRefdhcp\componentMonitornet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1460
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3656
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4264
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1040
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4144
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4068
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4136
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4264
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3008
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        24⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1120
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
        26⤵
        
        PID:5104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2368
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        28⤵
        
        PID:4460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4396
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"
        30⤵
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2660
        
        C:\Users\Default User\Registry.exe
        
        "C:\Users\Default User\Registry.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        32⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\blockdriverintoRefdhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\blockdriverintoRefdhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\legal\javafx\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\legal\javafx\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\legal\javafx\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\blockdriverintoRefdhcp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\blockdriverintoRefdhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\blockdriverintoRefdhcp\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\blockdriverintoRefdhcp\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\blockdriverintoRefdhcp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\blockdriverintoRefdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\blockdriverintoRefdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

Filesize
199B

MD5
54d1308ef78e837ec6f9ce0ed9675cd7

SHA1
fcf432e375b8684c5cda004978d62f9912617ca1

SHA256
676dd0915681105c8aa09ab0eba88a015b93ac1fdc24abfc2edf8800eddc94d2

SHA512
4c7c9b8a9a6b7814e3e496a500b64fae83bebfd5c69300f5f07c6d941767290b4a415fcebcbf54125c9c204c787e2275ff3cde61d1556f5c054e1ffa03a25c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

Filesize
199B

MD5
85f05a086352f6094729592f91b1135d

SHA1
38baa879429ac4224a21dcda8364fba4df006291

SHA256
49060a965b047dc0c8430e7f256cb0d50fc98ad6a4febfef253d8c69f3ad032e

SHA512
4b51ce20b70ea861bbca761dd59602167ed9b13d4139aaacdef1c4bf0b89a13b37fe0a55773a10c1f05095f12f1e97f9dcb618e1e8849fe02012553485c279ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
199B

MD5
ad49bd77ce0b5dcd498affb51e3ecb2a

SHA1
ce33db084ac23c234a5f7cbe752446191b82ceb5

SHA256
d6b87df9715ed76de5206687ee7967aef0a6e12f90669eda85f76fd9843d1124

SHA512
4abe13bf354bc6b5676259675e34aa960241e1051aabdf34a3c447830ef1512d00bc19129c615f65fe9c524cdfa65b27fe9bdcbf2e5942a7d3b2afb48973c392

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

Filesize
199B

MD5
0b0837b7f5935bafbc3c470f126a8905

SHA1
f17efd4b9358f3d0f7a0ed1f6571126ce12a3adb

SHA256
2ccf0754b05c3b693ea7f46dda9ebfa427472e9bb98589a2090367bbea57571e

SHA512
7319c6117fe823c35cde5fdbf0423c238883befb4bcd8d3800411cf078310021a155a0b8be8aeb702eade302bfbafc5886c756d768e324833020aaca79ac320a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat

Filesize
199B

MD5
d1aa24a2d032d97f83ffbea864ec5c08

SHA1
eecd9cf151f953786caae8bdf47d3a4f46746f7d

SHA256
f630af0ef31ff55c2d999607dc20b6e5b5432fb25360c833b16dbd095defecad

SHA512
4bd45f0ece823f5e96b3137b98f34a2cea272f7a93f12b4c6265bf17c0ab8a0e263633241f28c63efff189f30ce62b65db3d3ce156f6bd4db3feb6a21e5443e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat

Filesize
199B

MD5
4b945c39aac3b5b5ba3662ac5d95350f

SHA1
5911b6e71d4c0191433c1c21c9378b824d810a29

SHA256
17b25b1d80717db98ac833e427ecc523ad46935a2e8f34ee98e90ad024ecefe1

SHA512
c16c1e83ab2710fbfadb3a1c7c989003e82c1c7343f8fde8923dfcf0cb77fd56eb164f9d6caf08fe815fc1dab0a4e6f5f01d2c58d47b787a2b8eaf0d499c5308

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

Filesize
199B

MD5
7aa8f190be2bdd5200132635ca985e64

SHA1
584eaeed8f42f64483e0ad841307872ab066580c

SHA256
a0b451713deb2e44916fe95b24ed25bfe627bee4d4c0782ee67f8cb54c413eac

SHA512
fc094f9090bad3eed2f055069cecef4e9ed7a2da5db3a9128cf08195ae7f44c96a9261e5a51caab003c367622f7463afe5bc619f1df563a9e20c9d00e4d2103a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
199B

MD5
30979b447e5f3806ca1cc7e947059f38

SHA1
16ce70a8f922343a88d67ceb3574eb29c1281083

SHA256
6e328e46c4f305f093c3de4f09af25b84b47f761dfcf234631b879f61e04187c

SHA512
c37c96e7d130c7eaae8724dbee650349aa7cfc6bfd385b1e66c0bff5bbdfbed3bc01f398c76241cfd7d07b2ce10dde6422217d058121d110f08f79e8d44102a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

Filesize
199B

MD5
c4be9f0a26c748180b8c36558cd05446

SHA1
890242a6bf4b4ca20065143b0900cd42692399f4

SHA256
b376fe2e24ff27fbb29e062424bcc2643fa2c67e5b70d688fcf62561ce4f015d

SHA512
8de9d4b9c6db621297a9c624508a84424ecb21b912278390d943335bc0e83e6703bf5cd3ea5b2b0d5e8496446b40f5879efa1681adbf6b1bda929cb486480313

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
199B

MD5
c07b2259c984e70aca5cc2c710186ec5

SHA1
e6d8a7b71b4ef06b5930562a1851a629a1dec744

SHA256
768b125c2efe8d15e69a1f3beaac3ed0ab014561549fe3cfb668917258d64332

SHA512
c143411fa858e2c7374a58a45ea074f71b2a5666e8dfcacd157add48da89eecbba47de9220033ae336948258646c7edbd38ea30f8b3e97fb7610cd09cd00575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

Filesize
199B

MD5
ed7477fc8ce17ad171b85353c4294924

SHA1
e9f72ff032a9955ef8b910de6cc68d369c9af994

SHA256
b9e6d0ac31ec981c899a04025d6ed0027a80a58d93e992594cbb8a7e32e78e16

SHA512
99f6564191173df48d9262fa2fd1763b38f33b0cae41deaa3ad832c7f7fdd4c612ddf53e2ad055649f8b4903a59d8a45df7815953dad81435973072055e2e986

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
199B

MD5
708ecb5fc572c2201069998578769260

SHA1
2e89471a0469e9461f97d9f753b7be2a1c9a8eba

SHA256
ff08266a0f065d3899cfdc7980ec8958d2fdd92b3300dde0cef2f4e26e3afb05

SHA512
ed156b628a0b38f9d25a5081cbf1e065459d138b803ed48d5aa1b62564c1b2057b14e7cc315747fb145826a2fdec8b46ca03fc694017e9f5aab6a1d6979a0674

Download Submit
C:\blockdriverintoRefdhcp\IJdp5Y1jjSlcQsS9.bat

Filesize
163B

MD5
d238a0469d580df22f1581e8f0ce7b40

SHA1
b0ce8e65f7a64ec9d103f4b6eb0c2d3e9acbfedf

SHA256
d7b12013be33200d7a4c296f969e3ba2b77ba4f36aecb527fadfab116f9b1106

SHA512
0c19b5923ed41c83f61315fa9e72337cb16bccc4123838d27ac22a51660413fd8b2cf667e1f52cdeda9d45ef0144d6e25c02bc4d6ba9100deadbc4b6a6786596

Download Submit
C:\blockdriverintoRefdhcp\componentMonitornet.exe

Filesize
827KB

MD5
d839c7258cac4c0c3523ba7e0e0e9ba2

SHA1
78741a8c38f20cf7ea60f4cccaef9cef2266aa24

SHA256
e6f5ab7719b96b1b7e01433debb22d0f399d93839935fce599ea44f30487f6b2

SHA512
826e6d76712477862975dbafa6755d7538b28bff742bc1c918898a6efac152d209e732b381cdddef819df27a6aa9e4ed882b969dec2b8c40517803ecf91cd14f

Download Submit
C:\blockdriverintoRefdhcp\zjUQC6Kcs7ptRMsTAo49SRrfh.vbe

Filesize
215B

MD5
ee3c9a512853fd0790091acea86e5345

SHA1
6f88d7686903cec957dfb5ab3e706d7745ebecdf

SHA256
5457d4c6ab53c891a0a491d709bbe1642f93814804fbc5c91a825169fc80b6a3

SHA512
c114b445d1efa5f69d2bc5817dd48fe1502066c64291bcca3b06f38cb98dc6b36cba8ef9a2c4aa3ebb4de030545423cd46134b0707130e3df3c1d9ed32cced0d

Download Submit
memory/1988-13-0x0000000000B00000-0x0000000000BD6000-memory.dmp

Filesize
856KB

Download
memory/1988-12-0x00007FFD84823000-0x00007FFD84825000-memory.dmp

Filesize
8KB

Download