dcrat | e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Size

1.9MB
MD5

edcab28f5aae28489cb2ca6933a2f2be
SHA1

8226e84872a864d71d6f23a6927d1b603c53a0b7
SHA256

c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4
SHA512

240cedf9b820b28c66ce25d8e6591155906302dec4b234c5a697bbd3bdd6eec39874b09110be01883dac74cba494e46be356cd445a1cc16a3b269e720b1cff6a
SSDEEP

49152:lD4qFYryHb84s5guM/UpXR/+7SjWnjb8Ydp1:lDC4si4bGmjWnkYdf

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\", \"C:\\900323d723f1dd1206\\SearchApp.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\", \"C:\\900323d723f1dd1206\\SearchApp.exe\", \"C:\\Windows\\twain_32\\backgroundTaskHost.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\", \"C:\\900323d723f1dd1206\\SearchApp.exe\", \"C:\\Windows\\twain_32\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sihost.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\", \"C:\\900323d723f1dd1206\\SearchApp.exe\", \"C:\\Windows\\twain_32\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sihost.exe\", \"C:\\60739cf6f660743813\\smss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\", \"C:\\900323d723f1dd1206\\SearchApp.exe\", \"C:\\Windows\\twain_32\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sihost.exe\", \"C:\\60739cf6f660743813\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5572	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	4516	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4516	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5820	powershell.exe
4920	powershell.exe
5476	powershell.exe
3684	powershell.exe
444	powershell.exe
3756	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Mail\\sihost.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\60739cf6f660743813\\smss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Mail\\sihost.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\60739cf6f660743813\\smss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\explorer.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\900323d723f1dd1206\\SearchApp.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\900323d723f1dd1206\\SearchApp.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\twain_32\\backgroundTaskHost.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\twain_32\\backgroundTaskHost.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ipinfo.io
25	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4522809AF0EF48ACA1E54E7582AB530.TMP	csc.exe
File created	\??\c:\Windows\System32\btjsu_.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\7a0fd90576e088	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC1D4491B22B8745EC93D75C4980D831E1.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\backgroundTaskHost.exe	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Windows\twain_32\eddb19405b7ce1	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2376	PING.EXE
468	PING.EXE
5728	PING.EXE
2004	PING.EXE
3380	PING.EXE
4744	PING.EXE
3352	PING.EXE
4132	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
3352	PING.EXE
4132	PING.EXE
2376	PING.EXE
468	PING.EXE
5728	PING.EXE
2004	PING.EXE
3380	PING.EXE
4744	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2256	schtasks.exe
2932	schtasks.exe
552	schtasks.exe
3700	schtasks.exe
5580	schtasks.exe
5292	schtasks.exe
5004	schtasks.exe
5572	schtasks.exe
1484	schtasks.exe
6020	schtasks.exe
3184	schtasks.exe
2080	schtasks.exe
548	schtasks.exe
4708	schtasks.exe
1212	schtasks.exe
4576	schtasks.exe
1732	schtasks.exe
3864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2480	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	4956	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	6008	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	4412	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	984	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	4920	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	5988	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	5352	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2684	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	4520	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	3384	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	3036	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	1028	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	4028	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	5656	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2292	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	3860	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6040 wrote to memory of 1504	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	92
PID 6040 wrote to memory of 1504	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	92
PID 1504 wrote to memory of 4904	1504	csc.exe	94
PID 1504 wrote to memory of 4904	1504	csc.exe	94
PID 6040 wrote to memory of 5824	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	95
PID 6040 wrote to memory of 5824	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	95
PID 5824 wrote to memory of 4824	5824	csc.exe	181
PID 5824 wrote to memory of 4824	5824	csc.exe	181
PID 6040 wrote to memory of 3684	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	116
PID 6040 wrote to memory of 3684	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	116
PID 6040 wrote to memory of 5476	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	117
PID 6040 wrote to memory of 5476	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	117
PID 6040 wrote to memory of 4920	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	168
PID 6040 wrote to memory of 4920	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	168
PID 6040 wrote to memory of 5820	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	120
PID 6040 wrote to memory of 5820	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	120
PID 6040 wrote to memory of 3756	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	122
PID 6040 wrote to memory of 3756	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	122
PID 6040 wrote to memory of 444	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	124
PID 6040 wrote to memory of 444	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	124
PID 6040 wrote to memory of 5368	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	128
PID 6040 wrote to memory of 5368	6040	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	128
PID 5368 wrote to memory of 2892	5368	cmd.exe	130
PID 5368 wrote to memory of 2892	5368	cmd.exe	130
PID 5368 wrote to memory of 4344	5368	cmd.exe	131
PID 5368 wrote to memory of 4344	5368	cmd.exe	131
PID 5368 wrote to memory of 2480	5368	cmd.exe	134
PID 5368 wrote to memory of 2480	5368	cmd.exe	134
PID 2480 wrote to memory of 4940	2480	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	135
PID 2480 wrote to memory of 4940	2480	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	135
PID 4940 wrote to memory of 5292	4940	cmd.exe	137
PID 4940 wrote to memory of 5292	4940	cmd.exe	137
PID 4940 wrote to memory of 1676	4940	cmd.exe	138
PID 4940 wrote to memory of 1676	4940	cmd.exe	138
PID 4940 wrote to memory of 4956	4940	cmd.exe	140
PID 4940 wrote to memory of 4956	4940	cmd.exe	140
PID 4956 wrote to memory of 4668	4956	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	141
PID 4956 wrote to memory of 4668	4956	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	141
PID 4668 wrote to memory of 4872	4668	cmd.exe	143
PID 4668 wrote to memory of 4872	4668	cmd.exe	143
PID 4668 wrote to memory of 5728	4668	cmd.exe	144
PID 4668 wrote to memory of 5728	4668	cmd.exe	144
PID 4668 wrote to memory of 6008	4668	cmd.exe	145
PID 4668 wrote to memory of 6008	4668	cmd.exe	145
PID 6008 wrote to memory of 3888	6008	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	146
PID 6008 wrote to memory of 3888	6008	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	146
PID 3888 wrote to memory of 4120	3888	cmd.exe	148
PID 3888 wrote to memory of 4120	3888	cmd.exe	148
PID 3888 wrote to memory of 2004	3888	cmd.exe	149
PID 3888 wrote to memory of 2004	3888	cmd.exe	149
PID 3888 wrote to memory of 4412	3888	cmd.exe	155
PID 3888 wrote to memory of 4412	3888	cmd.exe	155
PID 4412 wrote to memory of 4028	4412	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	209
PID 4412 wrote to memory of 4028	4412	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	209
PID 4028 wrote to memory of 5328	4028	cmd.exe	161
PID 4028 wrote to memory of 5328	4028	cmd.exe	161
PID 4028 wrote to memory of 3380	4028	cmd.exe	162
PID 4028 wrote to memory of 3380	4028	cmd.exe	162
PID 4028 wrote to memory of 984	4028	cmd.exe	212
PID 4028 wrote to memory of 984	4028	cmd.exe	212
PID 984 wrote to memory of 1184	984	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	164
PID 984 wrote to memory of 1184	984	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	164
PID 1184 wrote to memory of 5756	1184	cmd.exe	166
PID 1184 wrote to memory of 5756	1184	cmd.exe	166

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
"C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pnpmyc1o\pnpmyc1o.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DDD.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1D4491B22B8745EC93D75C4980D831E1.TMP"
    3⤵
    PID:4904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmsylu2b\tmsylu2b.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E2B.tmp" "c:\Windows\System32\CSC4522809AF0EF48ACA1E54E7582AB530.TMP"
    3⤵
    PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xM7vGwl5Hu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5368
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2892
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
    "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5292
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        9⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mkvvIrKbn0.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        13⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat"
        14⤵
        
        PID:5664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        15⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
        16⤵
        
        PID:5940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        17⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oe8YqT2ALj.bat"
        18⤵
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gtOlnDcdUa.bat"
        20⤵
        
        PID:3824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat"
        22⤵
        
        PID:5436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        23⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9rsY8ZYMRr.bat"
        24⤵
        
        PID:1072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        25⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffZdJSdmJf.bat"
        26⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat"
        28⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        29⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat"
        30⤵
        
        PID:3488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        31⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
        32⤵
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        33⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat"
        34⤵
        
        PID:3476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:5272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat"
        36⤵
        
        PID:4868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        37⤵
        
        PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\900323d723f1dd1206\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\twain_32\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\60739cf6f660743813\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4c" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4c" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe

Filesize
1.9MB

MD5
edcab28f5aae28489cb2ca6933a2f2be

SHA1
8226e84872a864d71d6f23a6927d1b603c53a0b7

SHA256
c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4

SHA512
240cedf9b820b28c66ce25d8e6591155906302dec4b234c5a697bbd3bdd6eec39874b09110be01883dac74cba494e46be356cd445a1cc16a3b269e720b1cff6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe.log

Filesize
1KB

MD5
cb4338b342d00bfe6111ffee5cbfc2ed

SHA1
fc16673b6833ad3cb00743a32868b859e90aa536

SHA256
343ed6661687e81c9615dcaea42fb1a98b70572bb9fe07e16f020108725dbbe9

SHA512
4bcea1366b8be00d08eb15cfd78c87e1c8f3aea140a4ea30efb3c0511cd3de21b7ce8c933c7478fb06a356573ecb928e50df23d340fbd9a6e6c156a004d2a77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
842369b08704bbddf9de4d90016e58dd

SHA1
8bc3da656c08abbc14c58201e65b0dc823964bea

SHA256
cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808

SHA512
8f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
737aca23f199ce589dd1e68bc4969b98

SHA1
8c9cdd6bdf94c5fa42c5b0c29abf0136e4e6fa00

SHA256
6aa59e171898b3dd42a36662ef81d349ce5063a705f1261e881269c59e7c742b

SHA512
ccc0e6fa798aeb92e6e1a14d6ef3dc23e8e829d5ffd10f11129d0e590820711e29997a761dca77b8e790b06e3c7c0d2059137f40f92543eb8048529b1b4d7817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9e91fa13f902935b683fcbc65dd11c03

SHA1
9412ddf77a7a551178e3d60b5fcd7d71d7301bb4

SHA256
f4a7ba9b96c0fb8d52545e2bed8711131f4be5fa8e01f4db401115be9ffb31bb

SHA512
9a6ca2c7b62b1205cb28523e0775a1947d4af569164484b50e5ef4d94412743fddbff17e8e9a99ebe31eef192a3cb06919061242acfb8263bda7d969a8b9e60d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffaa33c7940b1713a06a430414e2fed0

SHA1
b1ade7d02b641ac9c382fad82cb1d31362fafb91

SHA256
a9c2268a32d4b53421c510878be105729a41bb03d01622456369d322e3e35c5e

SHA512
61913fe437de06bae8a99a02f3ff35f483d06ddd9593c16f9bb652dde94930ff47f1a07765b2d78ac5108abb65837a66444dc7ff9691ba9c9ceaf85f0ae73f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat

Filesize
278B

MD5
abc4bf75565126d7802a3ddd62226552

SHA1
f9e0c975ba6c72bfa7c55c99be85ef5bd5d55d7d

SHA256
91291c614dd34f3d56899de351a182088e19723afe28995ff1a1e951c3768cb9

SHA512
008c65050704c699987952055b9f4f2c16267c84571db796eeffe1736e3df63665f945a022728f3dc8a01c2bc82d955faf9591ce74202db105f9a96b7e83db1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat

Filesize
230B

MD5
8fd2e7f2417ae6d68914a0fded317dcc

SHA1
d7e9945aa0d5f2a7b7a250c71341a2d61e85d2f9

SHA256
d98791c15e59db8ed67b8f43839aeec9b59320fdb7c9c27078c1af75cb90a3c4

SHA512
b2a1aab367c6c001750dbe8e94e92b7d2502b51cd873e48579041bbc9b4e05a22cc2c9cc6554a20cfe95c0443b42a7ba3938ddef1585e955e17eeafad3462c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\9rsY8ZYMRr.bat

Filesize
278B

MD5
d766394db417db22770686e6bc1a41ed

SHA1
e589d7b80f8e423781e2ec0ed571b504c9c59b24

SHA256
38f2bf4ebe4c6f34e5b6c9117f32463cb7eeeea3440aacd759dd067eda37dcdd

SHA512
056a7f0cdc92265a4d5d74f2f1abc695104fb3054200d9fd062bf0a447ed22d5f1d88ce21a064f87fa88fb1a5acfa7f86026470249244d4abfcea22ce4fd15fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat

Filesize
230B

MD5
66aa1e800f664171e087fa163266481b

SHA1
4ef8ae3684ce98a5a5d14d5a624fd6cf3820770c

SHA256
3485b8ef61becc42c408b49f544ca3e03d8c8e6273dbf2c6469255e0097108d7

SHA512
f000c99e273a604cdecd6b7f8018295952eadb12550895c06927ff2889316e2f6a210df083875956bb31cb4ade85e0c159d998cdbd9ab04330d4578aba3f4b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat

Filesize
230B

MD5
7284c35554788b01bb5c67175797c030

SHA1
8575c7b6aaa6007d75da2f68f5ab38485655c4c2

SHA256
71e083fcff07eac5da0f85ea9c66323292f10c40cff66ec96aebf0d672b171f1

SHA512
fe071e0099e04958c8d8c7c7f225f198a05096acfc88ee898285c1cf9b3d40a17dfcfefbddce3f527fac6e2dc90b1c85e803e11accafb0cef9272df39abb16e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat

Filesize
278B

MD5
98cbc40045d3bdfb3b4315ccabe2811b

SHA1
5fcbed8aea9474bc72127c02da87e564c2f50c0c

SHA256
a4c914dc64e56f7e750bab1e3b99401e2c211a9ccc843fcc6d89404f4d0520f4

SHA512
5ae2983e8daa82b103362b48658b4c7c789284b45aa0dc2ea3c5f7ea14130716330a1ad98fc9bc3ea5095a16b9ce4aa9e1503188a7dc52016894602496dd0e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6DDD.tmp

Filesize
1KB

MD5
ecf8cf85ca8ea8ac1ca5ab8f8d170bdd

SHA1
33eb8ee14f2211cad29e64abe29a8cf3a5fba03c

SHA256
849dd6749605c35545dedda797f9b30697c884dc45d8cda64f6c51935eb21dc0

SHA512
d4b0f9cb7ae23cb1db06a3de26efd0d9ec7c30329aa9782945e4ac416c463592655fcb0a8a9823d25536a1d3f0f3c0128a9da790ff18d54d52fb718f60aa2fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E2B.tmp

Filesize
1KB

MD5
2d4a068574daebc0dd99d7586edc196e

SHA1
bcc9e9e01070043a5ae51c0d87b915dff97b73c3

SHA256
e342cd2f6a46a3656350da79ccd44f8ebe5bce1fd7ddbf26704f324b68c26892

SHA512
4e2c99a99d6a9eed2224239339ed6bfd59a71cf248ce91d9526b8516de47b6ffbc16109acd9b9b419adb50ce59c20987ec09752121c0c3b4917d9382d567024f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat

Filesize
278B

MD5
3c34d4c3bb81d82642660819ceef2595

SHA1
48bde2cdc1585b8d8befa74fca22b0217a6533ef

SHA256
d1b51866da0d30fe31a5c4856f382a1943dbe45dad932ce650e47017515dd197

SHA512
0222121b32fb497ed3bce775e094a6735e6515199fb2949a5e337e619a42973def0bc596846ad5f2a77d49b49931d7e51edbc92d538f0c3572ab8315e4bcec93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gekmix1y.va4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffZdJSdmJf.bat

Filesize
230B

MD5
d13a08506d9c989d9201feb05c7bf2af

SHA1
92eedbf62671b032c7fd34ba58ff7568ef47f63f

SHA256
df56b563d1650605a05944db6a87eb4845caaae237f8a825708d937ee256b5d7

SHA512
c62b447978f3e3a2ef0d135016bf3e8c0e3319645319ffc449082cd7633e5942ff78fc0de4e3456509eafffaf003022c058595f2cd58234c0da3a7269acdbffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtOlnDcdUa.bat

Filesize
278B

MD5
da38f5b9f0226c94330622df269520f8

SHA1
6927ca7cc6c5dc554d345f9a94dcdf045bb6d6e6

SHA256
4d18d965e1bed90ed54c805bc9ee8eaac33c279103d37f1e4c3aceff6c698b0b

SHA512
1a19589310b356581c5fa9fa5a9285a9cb28c8575f5ea861dc64f15a7f8aad3d55526f3b9157a81349a6516992cec108652dc673d3fabe63922854e6a1e299db

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat

Filesize
278B

MD5
7c0b4c15918346125b602ee734943241

SHA1
c944a3071fc9ccd2114d4cee3b10b86d3c25065a

SHA256
42a3b14b8bde8ce1222c8d95faac30e3a1d87ad413b1e30950f6c32afc86dd58

SHA512
6f1b83e4660963f82cabb8f4ef1f17a8c92b4846d0d4650c9b0b164d6fd0c054f3b10d1b28d4e3058d38e3f5e6db04d4d58418e03d44b51a3284181e9a79cc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkvvIrKbn0.bat

Filesize
230B

MD5
3ecd4556a1384ac2044c28c93a0a84cb

SHA1
aad1db5b974b580d214a209aadab0fefc4f9283c

SHA256
755f67c78b7834d14d3a4d14c276f2b8c3a6f7953bfa8a65e1e545860d77d6df

SHA512
4daf80a9049048eda81d3d481e1a78e3683536b78d5d7f4f3d4efb03a6d29702fd2b3f79c2945ae649922182b5a8c3a4371989bca68b96755b7ffa7a620eec6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oe8YqT2ALj.bat

Filesize
230B

MD5
ab0550d58e5c84c9399762a15e8cb42a

SHA1
47afc5ac20cd72ef49f3ee4413790dd015c10271

SHA256
323ee2cf861ac58869ef166f1029064078af968c72074affbaa373967ef358c8

SHA512
6c9a74a6cdde868542fcedcdf8b8a944e27b83b5add001867a9ac4d9ac3606c72956f07798468d0b4a9bf4b8ae3466d0d6104a72473d3dc5d2e3b1ce9191c171

Download Submit
C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat

Filesize
278B

MD5
8ed8896de44f56063e571077399bceea

SHA1
a7c1e4e5df29e8458fa55d572f232852c924eb9e

SHA256
c708c4a4834602971637f51d577f2fd926a203a509e8a61d1f87f895dbb7291c

SHA512
f31131203244ebfb631fe698c2c1cceb7b2392f82421d3dacf36eee5852b0716c7fb4723e1804068135120eff82b5b76893092f27202070bdbfef0d99775a91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xM7vGwl5Hu.bat

Filesize
278B

MD5
dd7034d3bcbe52d7dca4f65478a47879

SHA1
0e31dc84974a3e7cbf92cbf67f8c29c12a03c2be

SHA256
aebbeb3630fd8ecba0427d693d09ad939544bbbdc41c7641b08ab919f788c278

SHA512
c38ff06c0bbef92cac6fa185dd81bff4b8fa809810720f077bb744ee208723fe3544c5ec4414efc683bb2ff971802dbb4a9aa57257ffe4c8e0deb87ff076d2e3

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC1D4491B22B8745EC93D75C4980D831E1.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnpmyc1o\pnpmyc1o.0.cs

Filesize
438B

MD5
06c8780a616f1af945a60580e5d37065

SHA1
36627af34aef3d624d2ae8b61338b3b4e10a1642

SHA256
4093678840b4d8773bcd3e6fc47373b5b742249e11a26b3288daad7209ea6aec

SHA512
ab4aa554b55fa01457ca6cafc61f4056eea89c43fe5c0b7fddbfc5d9b597e3a7cb53aa324b6a71aa39d276c0963c35d03c88c048e4677b45fd9f49e11675a1bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnpmyc1o\pnpmyc1o.cmdline

Filesize
265B

MD5
67a05d97d0afc619bd7f4ffd05f86f9d

SHA1
d40109bd667295f0cac0772d34a1f9d366615580

SHA256
cc49ba71427d2c3f9471341c9db70f198cebc3ec0939479c3db7db645e95efd7

SHA512
955e5a6254fe20037465bd4aa8819e0ae35e59c57c3522047be78716d38d0c4f499bae4089ef6e862860ecce1718f374d6ad35a6bdf863afb46d10e20a25ec94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmsylu2b\tmsylu2b.0.cs

Filesize
408B

MD5
45fcd856498d7125ad90c1f79d51a161

SHA1
60139487edfb7302a19a95ff73385fe381915a74

SHA256
ad29e55a05a775083c4707e49e0cdf90b2d52b1890271cbabc3635f4680e1285

SHA512
68eabd1f5adfe4330f07fa3d1cba61c9da3a60843e6aaf3ba4d0235dd2405fa0ffbef295ef51dd05af03f163b8b4198318dc9710c3a883e930f326d26bd194d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmsylu2b\tmsylu2b.cmdline

Filesize
235B

MD5
6e5325ee2e6c9928a938bf34fdfb9c08

SHA1
b21a7af07b0c69c8f72af31e092edc4d603c62a1

SHA256
17ac6c3146694890401a2412074e3baecc2a73752d4896b87fd8105eed603a16

SHA512
81aac7e36a7873caede58a85cfcd17995ccdf9cbcc928d977b2f3dcc4c4e4a209ee4938dfee67a62e03e3a57196a6684399618382968b15a9b03bc77778fb8b8

Download Submit
\??\c:\Windows\System32\CSC4522809AF0EF48ACA1E54E7582AB530.TMP

Filesize
1KB

MD5
47fa8be984a761eed9ddc12bad4b4f61

SHA1
47cf543057fea8c63985cc386ececd8fca267242

SHA256
fb38cb0ac68d8daffa4648c3467a9fcb37e7a362be2e9344fadcecbdda53fd86

SHA512
15d8e622b9bab40fce8e7b3d8cc8495ae6198b48f955421d3066576f02461eb28824bba9bb95f3de88af67843f133607eb0cc3c799bf906409f73da2a8953963

Download Submit
memory/984-196-0x000000001CB10000-0x000000001CB7B000-memory.dmp

Filesize
428KB

Download
memory/1028-292-0x000000001C880000-0x000000001C8EB000-memory.dmp

Filesize
428KB

Download
memory/2292-328-0x000000001B340000-0x000000001B3AB000-memory.dmp

Filesize
428KB

Download
memory/2480-148-0x000000001BF30000-0x000000001BF9B000-memory.dmp

Filesize
428KB

Download
memory/2684-244-0x000000001C9F0000-0x000000001CA5B000-memory.dmp

Filesize
428KB

Download
memory/3036-280-0x000000001BBD0000-0x000000001BC3B000-memory.dmp

Filesize
428KB

Download
memory/3384-268-0x000000001C550000-0x000000001C5BB000-memory.dmp

Filesize
428KB

Download
memory/3756-67-0x000001DFDDD10000-0x000001DFDDD32000-memory.dmp

Filesize
136KB

Download
memory/3860-340-0x000000001BF40000-0x000000001BFAB000-memory.dmp

Filesize
428KB

Download
memory/4028-304-0x000000001C630000-0x000000001C69B000-memory.dmp

Filesize
428KB

Download
memory/4412-184-0x000000001BEA0000-0x000000001BF0B000-memory.dmp

Filesize
428KB

Download
memory/4520-256-0x000000001BEA0000-0x000000001BF0B000-memory.dmp

Filesize
428KB

Download
memory/4920-208-0x000000001BD00000-0x000000001BD6B000-memory.dmp

Filesize
428KB

Download
memory/4956-160-0x000000001B6A0000-0x000000001B70B000-memory.dmp

Filesize
428KB

Download
memory/5352-232-0x000000001C920000-0x000000001C98B000-memory.dmp

Filesize
428KB

Download
memory/5656-316-0x000000001C300000-0x000000001C36B000-memory.dmp

Filesize
428KB

Download
memory/5988-220-0x000000001CA50000-0x000000001CABB000-memory.dmp

Filesize
428KB

Download
memory/6008-172-0x000000001BBA0000-0x000000001BC0B000-memory.dmp

Filesize
428KB

Download
memory/6040-35-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-16-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-121-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-34-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-18-0x0000000003200000-0x0000000003208000-memory.dmp

Filesize
32KB

Download
memory/6040-0-0x00007FFAB5B63000-0x00007FFAB5B65000-memory.dmp

Filesize
8KB

Download
memory/6040-22-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-37-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-21-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-62-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-20-0x0000000003320000-0x000000000332C000-memory.dmp

Filesize
48KB

Download
memory/6040-36-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-15-0x00000000031F0000-0x00000000031FC000-memory.dmp

Filesize
48KB

Download
memory/6040-11-0x000000001C100000-0x000000001C150000-memory.dmp

Filesize
320KB

Download
memory/6040-13-0x000000001C0B0000-0x000000001C0C8000-memory.dmp

Filesize
96KB

Download
memory/6040-10-0x000000001BD10000-0x000000001BD2C000-memory.dmp

Filesize
112KB

Download
memory/6040-8-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-7-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-6-0x00000000031E0000-0x00000000031EE000-memory.dmp

Filesize
56KB

Download
memory/6040-4-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-114-0x000000001C490000-0x000000001C4FB000-memory.dmp

Filesize
428KB

Download
memory/6040-3-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-2-0x00007FFAB5B60000-0x00007FFAB6621000-memory.dmp

Filesize
10.8MB

Download
memory/6040-1-0x0000000000F40000-0x0000000001126000-memory.dmp

Filesize
1.9MB

Download