dcrat | 35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
150s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Size

1.6MB
MD5

d6e2e288705c6ca37ed2968b4ff7e7ca
SHA1

8f716b10bcfbb3adde8630ac0b4753068d3acf3b
SHA256

9d2b3033c9a5a32d0f15fd62edf41ee48ae15b47db8b7e0ef3208e5e5a7a3bef
SHA512

164fc15637eb15d663a6e436203fb9982ee7a8a867c2653f9505434424011cf13cee96008bcd6c0fee1650e713ac5a3a6bfc3a74798bf56f661cbe1d2c612743
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5348	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5652	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1656	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1656	schtasks.exe	88

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral24/memory/2952-1-0x00000000008E0000-0x0000000000A82000-memory.dmp	dcrat
behavioral24/files/0x00070000000242df-26.dat	dcrat
behavioral24/files/0x000b000000024100-67.dat	dcrat
behavioral24/files/0x000b00000002430c-137.dat	dcrat
behavioral24/files/0x00080000000242ec-171.dat	dcrat
behavioral24/files/0x00090000000242ef-183.dat	dcrat
behavioral24/files/0x00080000000242f5-201.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2424	powershell.exe
2600	powershell.exe
4360	powershell.exe
4364	powershell.exe
4860	powershell.exe
388	powershell.exe
5024	powershell.exe
5628	powershell.exe
4380	powershell.exe
4400	powershell.exe
4560	powershell.exe
5064	powershell.exe
4520	powershell.exe
4420	powershell.exe
2060	powershell.exe
3736	powershell.exe
3168	powershell.exe
1872	powershell.exe
1216	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 14 IoCs

pid	Process
1936	SearchApp.exe
4672	SearchApp.exe
4944	SearchApp.exe
5300	SearchApp.exe
4260	SearchApp.exe
4608	SearchApp.exe
4148	SearchApp.exe
3760	SearchApp.exe
3532	SearchApp.exe
3028	SearchApp.exe
4532	SearchApp.exe
5044	SearchApp.exe
2272	SearchApp.exe
5580	SearchApp.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\WindowsPowerShell\eddb19405b7ce1	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\taskhostw.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\edge_BITS_4604_2014095729\38384e6a620884	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\edge_BITS_4664_724051295\e1ef82546f0b02	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\RCXA1C1.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\taskhostw.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\taskhostw.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4664_724051295\RCXB54A.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\edge_BITS_4664_724051295\SppExtComObj.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4312_1875161395\RCX9158.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX9D29.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4604_2014095729\RCXB334.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4664_724051295\SppExtComObj.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4312_1875161395\fontdrvhost.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX961E.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\RCXA1C0.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\taskhostw.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\ea9f0e6c9e2dcd	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX9DA7.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4604_2014095729\RCXB344.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4664_724051295\RCXB549.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\edge_BITS_4312_1875161395\5b884080fd4f94	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\5b884080fd4f94	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\edge_BITS_4312_1875161395\RCX9147.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\RCX9862.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\edge_BITS_4312_1875161395\fontdrvhost.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\ea9f0e6c9e2dcd	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX963E.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\RCX990F.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\winlogon.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXABFA.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXABFB.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\services.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXB75F.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\winlogon.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Windows\GameBarPresenceWriter\services.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Windows\Prefetch\ReadyBoot\cc11b995f2a76d	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXB75E.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Windows\GameBarPresenceWriter\c5b4cb5e9653cc	d6e2e288705c6ca37ed2968b4ff7e7ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6128	schtasks.exe
2748	schtasks.exe
428	schtasks.exe
4556	schtasks.exe
4384	schtasks.exe
3268	schtasks.exe
4548	schtasks.exe
4540	schtasks.exe
4400	schtasks.exe
4604	schtasks.exe
4744	schtasks.exe
4144	schtasks.exe
3376	schtasks.exe
1216	schtasks.exe
4432	schtasks.exe
1988	schtasks.exe
3764	schtasks.exe
2476	schtasks.exe
3000	schtasks.exe
4360	schtasks.exe
4488	schtasks.exe
4848	schtasks.exe
5652	schtasks.exe
976	schtasks.exe
4860	schtasks.exe
4380	schtasks.exe
4464	schtasks.exe
1592	schtasks.exe
2372	schtasks.exe
4320	schtasks.exe
4156	schtasks.exe
3292	schtasks.exe
2600	schtasks.exe
4692	schtasks.exe
4728	schtasks.exe
4752	schtasks.exe
2444	schtasks.exe
4496	schtasks.exe
1380	schtasks.exe
2308	schtasks.exe
5196	schtasks.exe
2860	schtasks.exe
2352	schtasks.exe
2424	schtasks.exe
4420	schtasks.exe
4660	schtasks.exe
4644	schtasks.exe
4428	schtasks.exe
1176	schtasks.exe
6068	schtasks.exe
3128	schtasks.exe
5348	schtasks.exe
4880	schtasks.exe
4616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
388	powershell.exe
388	powershell.exe
4860	powershell.exe
2424	powershell.exe
2424	powershell.exe
4860	powershell.exe
5024	powershell.exe
5024	powershell.exe
3168	powershell.exe
3168	powershell.exe
4364	powershell.exe
4364	powershell.exe
5064	powershell.exe
5064	powershell.exe
4380	powershell.exe
1216	powershell.exe
4380	powershell.exe
1216	powershell.exe
4560	powershell.exe
4560	powershell.exe
1872	powershell.exe
1872	powershell.exe
2060	powershell.exe
2060	powershell.exe
3736	powershell.exe
3736	powershell.exe
5628	powershell.exe
5628	powershell.exe
4400	powershell.exe
4400	powershell.exe
2600	powershell.exe
2600	powershell.exe
4360	powershell.exe
4360	powershell.exe
4420	powershell.exe
4420	powershell.exe
4520	powershell.exe
4520	powershell.exe
4860	powershell.exe
4380	powershell.exe
1216	powershell.exe
5064	powershell.exe
2424	powershell.exe
2424	powershell.exe
3736	powershell.exe
388	powershell.exe
388	powershell.exe
3168	powershell.exe
3168	powershell.exe
4560	powershell.exe
5024	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	1936	SearchApp.exe
Token: SeDebugPrivilege	4672	SearchApp.exe
Token: SeDebugPrivilege	4944	SearchApp.exe
Token: SeDebugPrivilege	5300	SearchApp.exe
Token: SeDebugPrivilege	4260	SearchApp.exe
Token: SeDebugPrivilege	4608	SearchApp.exe
Token: SeDebugPrivilege	4148	SearchApp.exe
Token: SeDebugPrivilege	3760	SearchApp.exe
Token: SeDebugPrivilege	3532	SearchApp.exe
Token: SeDebugPrivilege	3028	SearchApp.exe
Token: SeDebugPrivilege	4532	SearchApp.exe
Token: SeDebugPrivilege	5044	SearchApp.exe
Token: SeDebugPrivilege	2272	SearchApp.exe
Token: SeDebugPrivilege	5580	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 3736	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	149
PID 2952 wrote to memory of 3736	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	149
PID 2952 wrote to memory of 388	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	150
PID 2952 wrote to memory of 388	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	150
PID 2952 wrote to memory of 2424	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	151
PID 2952 wrote to memory of 2424	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	151
PID 2952 wrote to memory of 3168	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	152
PID 2952 wrote to memory of 3168	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	152
PID 2952 wrote to memory of 1872	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	153
PID 2952 wrote to memory of 1872	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	153
PID 2952 wrote to memory of 1216	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	154
PID 2952 wrote to memory of 1216	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	154
PID 2952 wrote to memory of 5024	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	155
PID 2952 wrote to memory of 5024	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	155
PID 2952 wrote to memory of 2600	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	156
PID 2952 wrote to memory of 2600	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	156
PID 2952 wrote to memory of 5064	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	157
PID 2952 wrote to memory of 5064	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	157
PID 2952 wrote to memory of 4560	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	158
PID 2952 wrote to memory of 4560	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	158
PID 2952 wrote to memory of 4860	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	159
PID 2952 wrote to memory of 4860	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	159
PID 2952 wrote to memory of 4400	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	161
PID 2952 wrote to memory of 4400	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	161
PID 2952 wrote to memory of 2060	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	162
PID 2952 wrote to memory of 2060	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	162
PID 2952 wrote to memory of 4380	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	163
PID 2952 wrote to memory of 4380	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	163
PID 2952 wrote to memory of 4364	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	164
PID 2952 wrote to memory of 4364	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	164
PID 2952 wrote to memory of 4360	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	165
PID 2952 wrote to memory of 4360	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	165
PID 2952 wrote to memory of 5628	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	166
PID 2952 wrote to memory of 5628	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	166
PID 2952 wrote to memory of 4420	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	168
PID 2952 wrote to memory of 4420	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	168
PID 2952 wrote to memory of 4520	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	169
PID 2952 wrote to memory of 4520	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	169
PID 2952 wrote to memory of 6020	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	187
PID 2952 wrote to memory of 6020	2952	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	187
PID 6020 wrote to memory of 1312	6020	cmd.exe	189
PID 6020 wrote to memory of 1312	6020	cmd.exe	189
PID 6020 wrote to memory of 1936	6020	cmd.exe	190
PID 6020 wrote to memory of 1936	6020	cmd.exe	190
PID 1936 wrote to memory of 464	1936	SearchApp.exe	191
PID 1936 wrote to memory of 464	1936	SearchApp.exe	191
PID 1936 wrote to memory of 5200	1936	SearchApp.exe	192
PID 1936 wrote to memory of 5200	1936	SearchApp.exe	192
PID 464 wrote to memory of 4672	464	WScript.exe	195
PID 464 wrote to memory of 4672	464	WScript.exe	195
PID 4672 wrote to memory of 1160	4672	SearchApp.exe	196
PID 4672 wrote to memory of 1160	4672	SearchApp.exe	196
PID 4672 wrote to memory of 3584	4672	SearchApp.exe	197
PID 4672 wrote to memory of 3584	4672	SearchApp.exe	197
PID 1160 wrote to memory of 4944	1160	WScript.exe	205
PID 1160 wrote to memory of 4944	1160	WScript.exe	205
PID 4944 wrote to memory of 5992	4944	SearchApp.exe	206
PID 4944 wrote to memory of 5992	4944	SearchApp.exe	206
PID 4944 wrote to memory of 3488	4944	SearchApp.exe	207
PID 4944 wrote to memory of 3488	4944	SearchApp.exe	207
PID 5992 wrote to memory of 5300	5992	WScript.exe	208
PID 5992 wrote to memory of 5300	5992	WScript.exe	208
PID 5300 wrote to memory of 2952	5300	SearchApp.exe	209
PID 5300 wrote to memory of 2952	5300	SearchApp.exe	209

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6e2e288705c6ca37ed2968b4ff7e7ca.exe
"C:\Users\Admin\AppData\Local\Temp\d6e2e288705c6ca37ed2968b4ff7e7ca.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d6e2e288705c6ca37ed2968b4ff7e7ca.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4312_1875161395\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4664_724051295\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PMXpAW9ayF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6020
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1312
- - C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
    "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b902016e-79e8-440f-9a63-2f955f11442d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e99f364-ce66-4c36-b262-b09d3eb8285d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\234330f8-3c92-4040-87d4-69561f4dfb12.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5992
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562720f4-bc20-4481-a859-90c14470858a.vbs"
        10⤵
        
        PID:2952
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d108d91-ac83-4e3f-87e3-69a1a65ce8bf.vbs"
        12⤵
        
        PID:3552
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcdbe837-a66d-4afd-8d79-7b401ba22264.vbs"
        14⤵
        
        PID:744
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c16f76b5-b887-4291-a149-3d4b962d7ec1.vbs"
        16⤵
        
        PID:4876
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aafd87b1-d308-4613-93ba-9a6e71cbb514.vbs"
        18⤵
        
        PID:5496
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fca0d05-9817-4cad-9179-1d5fdbda2daa.vbs"
        20⤵
        
        PID:3464
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b16fe568-95da-4a9a-a3a1-875e26dd13b6.vbs"
        22⤵
        
        PID:3304
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16e9b1b4-169a-4931-8bff-c22713ae0f4e.vbs"
        24⤵
        
        PID:4652
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a07b946c-2d8c-4b63-bc75-4cc2628afcaf.vbs"
        26⤵
        
        PID:2656
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b13db8-2ed0-4fcd-be61-d1fa502e24e6.vbs"
        28⤵
        
        PID:2104
        
        C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe
        
        "C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff40d1bb-0792-4a51-9633-9a461a8ba3ea.vbs"
        30⤵
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fdfdc3b-0b44-4b32-a29c-6eb17a8e6221.vbs"
        30⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb9e2d4e-fb14-46d0-9ecf-ea4620dce6c0.vbs"
        28⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa2062f0-eb04-4d17-a702-416558badaf8.vbs"
        26⤵
        
        PID:3496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53ee8576-0cf9-4e4e-8da5-16330c3ae176.vbs"
        24⤵
        
        PID:5600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc82fb91-3bac-4ca7-986e-c77b9c5a35e3.vbs"
        22⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51683586-76c4-477e-a807-2edab6720591.vbs"
        20⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e1e2f1-6da7-4555-9b3b-91cd491edd34.vbs"
        18⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1bd1dfc-e404-4ab2-bbb3-bdb2fb4bbf44.vbs"
        16⤵
        
        PID:5568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95f71a84-1bcc-4b4e-b0be-7a8607945d3b.vbs"
        14⤵
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fc6ca32-c43a-48c4-a2f6-11005b813bed.vbs"
        12⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2d11158-75c7-46ec-9b84-8e9defdd44cf.vbs"
        10⤵
        
        PID:5196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32034c4e-a186-4fd1-8508-317ac98be74d.vbs"
        8⤵
        
        PID:3488
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c667726a-46ce-4685-841b-63944980a514.vbs"
        6⤵
        
        PID:3584
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394198a5-1dcf-44b4-a793-f0ea3072a1cd.vbs"
      4⤵
      PID:5200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4312_1875161395\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4312_1875161395\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4312_1875161395\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\GameBarPresenceWriter\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4604_2014095729\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4664_724051295\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4664_724051295\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4664_724051295\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dllhost.exe

Filesize
1.6MB

MD5
8dc3367646827c766b686cc10557f437

SHA1
2afb9c2b19f115154ebccd5e284be5968985c390

SHA256
b3e2c38455424bb4c33bba2d22d01fe6727ce072aed1d52308db88df0d4bbe00

SHA512
fdd03584d2825274546937a0230670f11e6e6bd26ee57a432a175e34428227286093009657ef6fbc659447998191ede028678cb69278b706ce5bcec36e95ae1a

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\winlogon.exe

Filesize
1.6MB

MD5
48b3ffc7547134065a828c489a3e0231

SHA1
7e2885470aa9589b16d5bf21be4fa97fb5c1272b

SHA256
f9fabbab3e3a7f2dc23df356882a3de9e8ad1df4286c240d3dd9ee4369a73fbc

SHA512
f3fd521d88db66901fe9344a27ef76e2590fc38d4ed3ddac1bf5fe31d17007d41b8f50a2ed004cec4735294ce922c8302f3cdbb9d445f9b3da6a007dc3ae89a6

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\fontdrvhost.exe

Filesize
1.6MB

MD5
d6e2e288705c6ca37ed2968b4ff7e7ca

SHA1
8f716b10bcfbb3adde8630ac0b4753068d3acf3b

SHA256
9d2b3033c9a5a32d0f15fd62edf41ee48ae15b47db8b7e0ef3208e5e5a7a3bef

SHA512
164fc15637eb15d663a6e436203fb9982ee7a8a867c2653f9505434424011cf13cee96008bcd6c0fee1650e713ac5a3a6bfc3a74798bf56f661cbe1d2c612743

Download Submit
C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe

Filesize
1.6MB

MD5
15ec46f6aeca8600998355536be9dbbb

SHA1
427012b97a2af4f57d2966e1e1102f04291aa5f1

SHA256
71d345cb4e02e4de749188357e389e5fd3ab51583ab4c903429efd31f1f64483

SHA512
7fa53280b78a7457e57556617685df587533dce415828233fe56153920e5f675b0848b4c20479ed68f5ac54212a5cb96fc2978f705b87f83d8a6da44f6e4afa7

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.6MB

MD5
02812583ab91e511f3e0e80ad9669976

SHA1
b0539c4694536e2c0bc53452a8f47e5b8d09ef3f

SHA256
282069b884fc342d6595e6e00f3ef29ae9dcc2c2e4c71167f7c935a7baba50ff

SHA512
3769a17fb2ad5448ff634596b22305456510e543ae7311e35b9d3b4023f20c4b85a092552db2d50f40dac59d8c7412db7d27c3ddbaa75d81bc17849b647417e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3daae9cdd018437ea3c21aba22ed09c6

SHA1
9f0127b1483e1937d5d8cccf3ae1de0cac1c4c58

SHA256
10ae5cee35e47503d6db91713d92e11babdbb6c06f309fc761dccc7d9684723a

SHA512
17b4b1aa30c7871f7325f67b1b3ab5cd6f6eaafd7e4b45e96beb7fb84f80d0c4858852dbb15c1dfa2abf3e2aa6507c85e041807a575f29fe0c5dc215b04a206a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5298af510096b88490b00b468206c966

SHA1
afc8d92a832bf530001e9d7bce0a917067b1a753

SHA256
d1dae534bb9fc91682d16c2a30657cf3eafa4db82fec8d1477dde2d0e9af5a18

SHA512
9653df3b73599ad282259e3990d18b4e56f556d6fbc33697293503cc88738473245f7507b571059460ce57e6267219bc7b95ed1e90c198d0726a13b91427419e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ea4fdbf8bad883929456091a1e50194

SHA1
fc3b6026729ad36729c2cc4349b8e7a94255ad71

SHA256
ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

SHA512
27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

Download Submit
C:\Users\Admin\AppData\Local\Temp\16e9b1b4-169a-4931-8bff-c22713ae0f4e.vbs

Filesize
732B

MD5
ac90b472490f7aa5ed2ec7836410fa1f

SHA1
838fc91d37ae3d29523dee1ca783c3e9dbe0ab87

SHA256
99c061e1dd0b71c525c09b08fe8e28156c32fa9ec3818bf29a51c482a678e72e

SHA512
ef6fc281c18bb68a7ec147dce38535e32de1f2984d0b846eba50688a35a76147e5c9f7f3ec644eb23de27e6ef7e836fcfebe3821997cfd219392d07094be1345

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fca0d05-9817-4cad-9179-1d5fdbda2daa.vbs

Filesize
732B

MD5
b37072eb385825780313d62d1a6c541a

SHA1
9936f793d6dca8e9608e3557267e24dcba4a3b45

SHA256
b8f7697425763c8c11d4aa775b101c8681e1b845d9e6003a3cbd30693fb9e1e5

SHA512
147c4aa8e93cb11ea05d866b6e811ac56f84e365066c48dbeb688058edb842b01d2374a84ca82ba8ff4622a1832c9bb0a9d9242a7360e26b679b0b4716775565

Download Submit
C:\Users\Admin\AppData\Local\Temp\234330f8-3c92-4040-87d4-69561f4dfb12.vbs

Filesize
732B

MD5
9057e8089cf5c079887516b3db917c5b

SHA1
9ffaf32e699c883b6fcbcc359f134a6624bbd02b

SHA256
6ee9a9122a129553651fce3f507af117a690d7fe09c85abc9be503f5280c57af

SHA512
1531d8c70d09b06a6b3d5edeee54927d1c36b346dd879436f69dc318c837881bcd2a4d73e199b50a5956c4900a7e3c3cc52fdb45a90b6af7dc97ebac4e6737d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\394198a5-1dcf-44b4-a793-f0ea3072a1cd.vbs

Filesize
508B

MD5
34d164cf9c4ec60a161dd4ed40736bd8

SHA1
cefcf41692e82b53dfe94f2fe4c0578ae65cbee8

SHA256
c1ea48c4c69eb24d611dd742d3d7b4d191ca9e7f0112629ff492e89c71da90d7

SHA512
1bd8cc4ec35d04accd4f4afc0517eebba18b23739281229724fbb533207e0ff8517aadd10eaaeb3911babad2d6c48813b047cb0837a5195d886eb6964e50e6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e99f364-ce66-4c36-b262-b09d3eb8285d.vbs

Filesize
732B

MD5
e91ac36c19e4beae4782004f343ab7d6

SHA1
af2acd80c0469dea5b1427202ec4420d71ce751c

SHA256
f9707bd3a35ce0625e2fe5c0182304c633bb16a600999955f90e1be1de061f5c

SHA512
1c8d3c76fe87800f8dc3e2d04e80b87cd3f28be012e965d2ba160c08fe8a19fa40ca64253dd0c1e3e5abe3dcb88dc6c8caaed3691fbbdfc1b1ee993de01af863

Download Submit
C:\Users\Admin\AppData\Local\Temp\562720f4-bc20-4481-a859-90c14470858a.vbs

Filesize
732B

MD5
7af2e7faa4f479cffff77d9eb5266ff7

SHA1
ff8fa7af54da77d32ffb53fa84837e9dbfcc2a6e

SHA256
e742d243021f2226bdbc95b219498a81fbf28a2532aa84d60d178365b5aea821

SHA512
58e8e6b4dd2e07618951de14dae25a4f2858961d5383f56065031fe68b908405ee69f932f8eff7338714ed842d95e59a5f0ba42ae54a4a33348f53ac1d8cb923

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d108d91-ac83-4e3f-87e3-69a1a65ce8bf.vbs

Filesize
732B

MD5
bb2cc2bbfe629a217cd25a3c1482954a

SHA1
998b8d8889bb87b6fef3b1b670e0c9e9030762c8

SHA256
e20c94f10440439ced88da8c093117c83f33a7303f11732e1afc742c3e3a4fbf

SHA512
d126e2d3f9ec86ff90436bcb4b2fb04967bd587264622c6b1822285cd4ca387cd7a44e643587c75a4fc2969953b82dc9c605e03d0a2b101dadd567b5f3b71a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMXpAW9ayF.bat

Filesize
221B

MD5
a10680529616dd6e835e7f2626a1e44c

SHA1
b078435576826666cc6c66e0c6aab1aae2f23ab8

SHA256
da041c0327254ef21eef1f85aab44a4184156f16089d867cdb3a5f40dede5332

SHA512
4454ada8ed54a6d2cb6ab3f52447dccac560ba6f6426ba6b6c4bf62dbc5ceb860d9c04a3721b7ad4abc356a59e87d8d3fc3d16b2b9b89fac3c667cc4b063671c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fryuu1tt.byl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafd87b1-d308-4613-93ba-9a6e71cbb514.vbs

Filesize
732B

MD5
f7c5a9e8030d9fe6002ab7055050c0b5

SHA1
05cd699f5b045e55d26bd41b7d68944ff2afec03

SHA256
66089d2d678b9f62df53b1faad0d4a2f47a3af34c3b721a31e6bc1dbdbacbbf9

SHA512
0c32c9d3a3223a0d0437a70ec53969a402ba997ef5b19d9e79bade10c49d12c1e9e2ebb36943223bb571f0480473fbe60316f080aab538ec33d9a96506b0218e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b16fe568-95da-4a9a-a3a1-875e26dd13b6.vbs

Filesize
732B

MD5
5484902386c942e1e87268c6edf394de

SHA1
b654a245eec3074017601bbd0f8147a5965a3a22

SHA256
c838e769f64448bd727ade695d39b20a4c0e5f472d825bce345b46bc0571ec11

SHA512
987fe4f3ab92b247e55d6ee112ca6cce70401cfb21b82f2557a9ae2b8040fa036ac920de83243c153d0509cb388cb74f12954198f89b37e64a0ebeeb402eee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\b902016e-79e8-440f-9a63-2f955f11442d.vbs

Filesize
732B

MD5
000f6386c06df5d6d7f2456ea9e4443e

SHA1
0aecb10143bddcbcfb8b2726b04095c8db96482b

SHA256
acb1f9132612c255f62743ea45ab426d4a8c5977b248d6d2607556f734cdcc21

SHA512
a153d80cdcbe9fe98657c64aead5dff5cb64fc6737bdbe0d78c4456f3534478dae56e2c994b844a80f32b09922831cd33d79975858370eeede4de5f8f099dcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16f76b5-b887-4291-a149-3d4b962d7ec1.vbs

Filesize
732B

MD5
dac70d60899b03e22b6030043b707ac0

SHA1
86e0d48a164e73e708986ab0836a2e8944f2d9aa

SHA256
a857b50f8a1c87389916b68997edb3563fb0875d859db06375a5495cb7c7e06d

SHA512
a98dd5e331f590bee405f7c3c8683e59c3e0634bbe62b4c7136eaf602264c5a600a696475f2e3e9a86e1715081b0d7b37847c1e414ffa465cd69302ff09faf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcdbe837-a66d-4afd-8d79-7b401ba22264.vbs

Filesize
732B

MD5
0a61f8ab542d053dec92fcf813c17c35

SHA1
d754af24cd60d9dc4da797599bf9bd720429a03b

SHA256
b7f4966bf758e25ec8a7eac4a637b1a17c503c8b8d37327cdb3936fd8508496e

SHA512
198387203ec08e3558306b6c201d51db9a1ff12034e44eb35475fdd4bb0e3349606a4d2e32b94020820a524c982e8c6ab62244d072d733dda32d947160f3b95c

Download Submit
C:\Windows\GameBarPresenceWriter\RCXABFA.tmp

Filesize
1.6MB

MD5
e3f485b539d84ff5183495bf8c510428

SHA1
cc4ce0b485b553311216aacdf94ec899cb925abf

SHA256
bc1da9a3875f56bfa82dc91cdc8c93be625ee66498b5dbbe6a8043e6c00e4336

SHA512
dba41f8dc7c6415958be9715f3e4d75476fc14fa96a2a5efce1b4df8717d81215848edacbbbdc501bf46a8158d54a7d284819cb730843dadf9274eb4307e5525

Download Submit
memory/2952-15-0x000000001B910000-0x000000001B918000-memory.dmp

Filesize
32KB

Download
memory/2952-11-0x000000001B700000-0x000000001B70C000-memory.dmp

Filesize
48KB

Download
memory/2952-0-0x00007FFFB8B43000-0x00007FFFB8B45000-memory.dmp

Filesize
8KB

Download
memory/2952-197-0x00007FFFB8B40000-0x00007FFFB9601000-memory.dmp

Filesize
10.8MB

Download
memory/2952-174-0x00007FFFB8B43000-0x00007FFFB8B45000-memory.dmp

Filesize
8KB

Download
memory/2952-16-0x000000001B920000-0x000000001B92A000-memory.dmp

Filesize
40KB

Download
memory/2952-12-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/2952-13-0x000000001B770000-0x000000001B77E000-memory.dmp

Filesize
56KB

Download
memory/2952-17-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/2952-10-0x000000001B6F0000-0x000000001B6FC000-memory.dmp

Filesize
48KB

Download
memory/2952-1-0x00000000008E0000-0x0000000000A82000-memory.dmp

Filesize
1.6MB

Download
memory/2952-283-0x00007FFFB8B40000-0x00007FFFB9601000-memory.dmp

Filesize
10.8MB

Download
memory/2952-14-0x000000001B780000-0x000000001B788000-memory.dmp

Filesize
32KB

Download
memory/2952-9-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

Filesize
32KB

Download
memory/2952-4-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/2952-6-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

Filesize
88KB

Download
memory/2952-8-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/2952-7-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/2952-5-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/2952-3-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/2952-2-0x00007FFFB8B40000-0x00007FFFB9601000-memory.dmp

Filesize
10.8MB

Download
memory/4860-282-0x000001FEE3FE0000-0x000001FEE4002000-memory.dmp

Filesize
136KB

Download