dcrat | c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2025 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
Size

1.7MB
MD5

df36d28f020b6dca0a2e267cefbc2311
SHA1

859e308d90cab32fabcce1d9d27b1012d09249dc
SHA256

c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58
SHA512

d053e1d6e96c656117cc2093ea7190325f989e67a2d9c28c6af9fc8a2f37bda9ac463533593d17de759d02a3ea0ff1ef54a687429da54309fe865cd2fda6b537
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3408-1-0x0000000000AF0000-0x0000000000CB0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023e1d-77.dat	dcrat
behavioral2/files/0x0007000000023df9-30.dat	dcrat
behavioral2/files/0x000a000000023de9-158.dat	dcrat
behavioral2/files/0x0009000000023e07-181.dat	dcrat
behavioral2/files/0x000c000000023e09-216.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe
4708	powershell.exe
2400	powershell.exe
1516	powershell.exe
4664	powershell.exe
4032	powershell.exe
1592	powershell.exe
3592	powershell.exe
3020	powershell.exe
1352	powershell.exe
3552	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
45	1420	Process not Found

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 3 IoCs

pid	Process
4556	dwm.exe
2064	dwm.exe
1900	dwm.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\22eafd247d37c3	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RCXD3EA.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Program Files\Google\Chrome\Application\explorer.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fontdrvhost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RCXD3EB.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXE0A7.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\TextInputHost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\TextInputHost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Program Files\Google\Chrome\Application\7a0fd90576e088	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\5b884080fd4f94	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXCF52.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXCF53.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\explorer.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fontdrvhost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXE029.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ja-JP\RCXCB29.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXCD3D.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXCD3E.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\DiagTrack\Scenarios\eddb19405b7ce1	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\Migration\WTR\csrss.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\ja-JP\SppExtComObj.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\PolicyDefinitions\ee2ad38f3d4382	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\Migration\WTR\RCXC922.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\Migration\WTR\RCXC923.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXD8EF.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\DiagTrack\Scenarios\backgroundTaskHost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\backgroundTaskHost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\Migration\WTR\886983d96e3d3e	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXD96D.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\System\Speech\OfficeClickToRun.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\ja-JP\RCXCB28.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\RCXC46B.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\Migration\WTR\csrss.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\ja-JP\SppExtComObj.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\PolicyDefinitions\Registry.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\ja-JP\e1ef82546f0b02	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\CSC\sppsvc.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\RCXC47C.tmp	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File opened for modification	C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\PolicyDefinitions\Registry.exe	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
File created	C:\Windows\Panther\setup.exe\55b276f4edf653	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4544	MicrosoftEdgeUpdate.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
Key created	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1416	schtasks.exe
1580	schtasks.exe
4956	schtasks.exe
2060	schtasks.exe
1276	schtasks.exe
4644	schtasks.exe
3292	schtasks.exe
620	schtasks.exe
3420	schtasks.exe
1992	schtasks.exe
1888	schtasks.exe
908	schtasks.exe
3176	schtasks.exe
2912	schtasks.exe
2596	schtasks.exe
4712	schtasks.exe
4820	schtasks.exe
2436	schtasks.exe
4636	schtasks.exe
3264	schtasks.exe
3672	schtasks.exe
824	schtasks.exe
4484	schtasks.exe
1056	schtasks.exe
4836	schtasks.exe
4524	schtasks.exe
2292	schtasks.exe
2460	schtasks.exe
2524	schtasks.exe
864	schtasks.exe
2192	schtasks.exe
2324	schtasks.exe
3992	schtasks.exe
4828	schtasks.exe
1760	schtasks.exe
4264	schtasks.exe
5032	schtasks.exe
3480	schtasks.exe
3524	schtasks.exe
2676	schtasks.exe
1964	schtasks.exe
3708	schtasks.exe
1836	schtasks.exe
1784	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
4892	powershell.exe
4892	powershell.exe
2400	powershell.exe
2400	powershell.exe
1352	powershell.exe
1352	powershell.exe
3552	powershell.exe
3552	powershell.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4556	dwm.exe
Token: SeDebugPrivilege	2064	dwm.exe
Token: SeDebugPrivilege	1900	dwm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 4708	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	136
PID 3408 wrote to memory of 4708	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	136
PID 3408 wrote to memory of 4892	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	137
PID 3408 wrote to memory of 4892	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	137
PID 3408 wrote to memory of 1592	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	138
PID 3408 wrote to memory of 1592	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	138
PID 3408 wrote to memory of 3552	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	139
PID 3408 wrote to memory of 3552	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	139
PID 3408 wrote to memory of 1352	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	140
PID 3408 wrote to memory of 1352	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	140
PID 3408 wrote to memory of 4032	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	141
PID 3408 wrote to memory of 4032	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	141
PID 3408 wrote to memory of 4664	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	142
PID 3408 wrote to memory of 4664	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	142
PID 3408 wrote to memory of 1516	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	143
PID 3408 wrote to memory of 1516	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	143
PID 3408 wrote to memory of 2400	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	145
PID 3408 wrote to memory of 2400	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	145
PID 3408 wrote to memory of 3020	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	146
PID 3408 wrote to memory of 3020	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	146
PID 3408 wrote to memory of 3592	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	147
PID 3408 wrote to memory of 3592	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	147
PID 3408 wrote to memory of 4556	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	158
PID 3408 wrote to memory of 4556	3408	c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe	158
PID 4556 wrote to memory of 2720	4556	dwm.exe	159
PID 4556 wrote to memory of 2720	4556	dwm.exe	159
PID 4556 wrote to memory of 2388	4556	dwm.exe	160
PID 4556 wrote to memory of 2388	4556	dwm.exe	160
PID 2720 wrote to memory of 2064	2720	WScript.exe	166
PID 2720 wrote to memory of 2064	2720	WScript.exe	166
PID 2064 wrote to memory of 3384	2064	dwm.exe	167
PID 2064 wrote to memory of 3384	2064	dwm.exe	167
PID 2064 wrote to memory of 2252	2064	dwm.exe	168
PID 2064 wrote to memory of 2252	2064	dwm.exe	168
PID 3384 wrote to memory of 1900	3384	WScript.exe	173
PID 3384 wrote to memory of 1900	3384	WScript.exe	173
PID 1900 wrote to memory of 3292	1900	dwm.exe	174
PID 1900 wrote to memory of 3292	1900	dwm.exe	174
PID 1900 wrote to memory of 1392	1900	dwm.exe	175
PID 1900 wrote to memory of 1392	1900	dwm.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe
"C:\Users\Admin\AppData\Local\Temp\c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Users\Default User\dwm.exe
  "C:\Users\Default User\dwm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303a575f-cdee-412a-953f-29dfdab6063a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Default User\dwm.exe
      "C:\Users\Default User\dwm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc63271b-fc7e-4831-8426-89d9a3ba0cb1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
      - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3222ead0-acdd-4a97-88bf-1bf089716753.vbs"
        7⤵
        
        PID:3292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a665267b-88ee-4540-b8bd-bb874346e257.vbs"
        7⤵
        
        PID:1392
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\630df01f-9d50-4411-aead-f590e0715e31.vbs"
        5⤵
        
        PID:2252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ea6a6d6-2b76-4869-82bb-242a209026ba.vbs"
    3⤵
    PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\backgroundTaskHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0FBQzk4RUItNDRDNS00RUNELTg1NjYtMUVGREQwOEI3RTkyfSIgdXNlcmlkPSJ7MjU3Q0Q5NzAtQzMzNy00QzM0LTg3NEMtRUI4NTE1MjhCMEQ1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDQzNDhGMEQtNTFEMC00QzE2LTlGODUtNEMyM0RFRkQyOTJDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDIwODQ3OTUzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoft\explorer.exe

Filesize
1.7MB

MD5
c2ff99dd538fecaff1fe13aef705eddf

SHA1
5bd149d986640ce38c54080bc2d322f2420b8b8e

SHA256
f6f693b8a941aa8147b54ef81e00a151dffc516c87bf5238366d2a02c2e6a874

SHA512
06f958bba87a5ccc05ee645ba85dd93d8ccd38a1229baf293ea2836a72dc5aa27f7c6c97ee71e5343dcef2198c6196b2f70fb511d2d50b5cd8addd0e08988b2d

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
1.7MB

MD5
ddeff4712e84b273d5296b64e7956041

SHA1
286ebe48b444e82bc754ca2f639d91592bf3f127

SHA256
bc03177a94dc3fca1a674066dfe5fe1e016f2aeaad1b85ee02b282b8103f654d

SHA512
62898a9c148c68630466e83c37b4519a3b45885a1cd06e54db8c5219b108a27ff023518bc545d3159874d4448c616dc7d85d5c3afff6fe4a5c2673a1ea546423

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
99c067db1462e2b0c5dd01aa5cba0aca

SHA1
1f61098259fb537a1991a0f174908172749f4369

SHA256
1bb14c665109f80b48c818a1e54782b7a01beb27c5bfd63b354ab17529dc971a

SHA512
89c5a15a183793e21f1f4fd91afc07b46acd94a31f2d804e80d7fa2e4f94a41ad8cefe6540a4da34eb530f9b234d90fbeea425c571eb202312238061fd39acde

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
1.7MB

MD5
24e3a95a7bae77ae04f4caa8b5073db4

SHA1
91a325de1f898f84d9c67d507495e7871dff5e43

SHA256
0b50041c89d46af16e0ec6caf0e5e4b16ea9f6b54e756ef129a8b58a03f413c0

SHA512
238ebeb2259da146a94a5fbeb5b2c806dabd6de9149a334910d0ea9c60053dafb4a1da0955646398804cc34f5ab134d57ca3725bcf9d1b1c8027b07ecc6b3315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\303a575f-cdee-412a-953f-29dfdab6063a.vbs

Filesize
705B

MD5
114668d2199b4e091c38e2fea8929821

SHA1
d6b81174fa5d9860de0ac459e172e6e0814a42d7

SHA256
eb9f7b823a25ab96c89f2929e9aacdbf115fb7a87ba19fee3b831ca2ac7f0c58

SHA512
d04d20979f965593aa518a7e9a5ca3058a4eab1793272479c7f356ef2d1d388b9b37cb3d4f657e93591d1f5c65fdcfebe8924c3774b39a556503311131e70998

Download Submit
C:\Users\Admin\AppData\Local\Temp\3222ead0-acdd-4a97-88bf-1bf089716753.vbs

Filesize
705B

MD5
2a8ad8d39b8bc3602dc3348abd707051

SHA1
80fb7b650192dc79492207bbfdda0adc2ac2a3dd

SHA256
382ffb975dd3b5c4f210e786ce38e42adf135fd33a0bdd9d20eb49cff07eae06

SHA512
ecee9f9e8576ce677b4ea05c3b62976a9f2419c3a11d2820994c2a7623c904de1d90648ac90bd0f4796a6dcf59695d68057e10a9c561919caa4f9898e307ae83

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ea6a6d6-2b76-4869-82bb-242a209026ba.vbs

Filesize
481B

MD5
cbf5f58bf405dee64a8bb9983ac9f11d

SHA1
260cb475d83660e8e9d3de338f2c463f05794eb0

SHA256
1a5d2c9b8a8774f7c49c904bcad4a82ef2c2a3880182e14aa22f152073bde140

SHA512
0de39c867660d215e8126143b778e0689ff0aeb44c8636b1e9c0e960189276a2eaa64c2af00b01bf3a3410918e306c000f6296539c6106a90d1f0aec2f65a286

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wadyonca.i3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc63271b-fc7e-4831-8426-89d9a3ba0cb1.vbs

Filesize
705B

MD5
ad74a1a4fcf449b0ba4ba73cdacd0156

SHA1
d98ab295f0829936fcaa33b9d4e0556863941b48

SHA256
0deaf0ecb23126c4a3a03d893bcb17419f872acb73f84cfe3d0c5f45175cdb71

SHA512
d288a8e084c1afc7bf7702946385c85db568124f5367ec491cc2bc1691104698fa4017f7d6e647d41e69a2db5aaec060bd4dfec07dd46c0fbdcc8ca2bf77de9f

Download Submit
C:\Windows\PolicyDefinitions\Registry.exe

Filesize
1.7MB

MD5
df36d28f020b6dca0a2e267cefbc2311

SHA1
859e308d90cab32fabcce1d9d27b1012d09249dc

SHA256
c6c9f9547c807c568ff10aad8e8655be2b1eb6245b21e80622a1c75acfba9e58

SHA512
d053e1d6e96c656117cc2093ea7190325f989e67a2d9c28c6af9fc8a2f37bda9ac463533593d17de759d02a3ea0ff1ef54a687429da54309fe865cd2fda6b537

Download Submit
memory/1352-292-0x000002E474610000-0x000002E474632000-memory.dmp

Filesize
136KB

Download
memory/1900-439-0x000000001B890000-0x000000001B8A2000-memory.dmp

Filesize
72KB

Download
memory/3408-3-0x0000000002DA0000-0x0000000002DBC000-memory.dmp

Filesize
112KB

Download
memory/3408-18-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/3408-6-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/3408-5-0x0000000002DC0000-0x0000000002DC8000-memory.dmp

Filesize
32KB

Download
memory/3408-0-0x00007FF8DE023000-0x00007FF8DE025000-memory.dmp

Filesize
8KB

Download
memory/3408-8-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/3408-172-0x00007FF8DE023000-0x00007FF8DE025000-memory.dmp

Filesize
8KB

Download
memory/3408-10-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/3408-184-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-185-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-13-0x000000001C5E0000-0x000000001CB08000-memory.dmp

Filesize
5.2MB

Download
memory/3408-231-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-16-0x0000000002F80000-0x0000000002F8E000-memory.dmp

Filesize
56KB

Download
memory/3408-7-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/3408-394-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-1-0x0000000000AF0000-0x0000000000CB0000-memory.dmp

Filesize
1.8MB

Download
memory/3408-15-0x000000001B920000-0x000000001B92A000-memory.dmp

Filesize
40KB

Download
memory/3408-23-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-19-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/3408-20-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3408-17-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

Filesize
32KB

Download
memory/3408-14-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/3408-12-0x0000000002F40000-0x0000000002F52000-memory.dmp

Filesize
72KB

Download
memory/3408-9-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/3408-4-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/3408-2-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-395-0x0000000002F90000-0x0000000002FA2000-memory.dmp

Filesize
72KB

Download