dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
102s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Size

999KB
MD5

7c3748401169a78459eb9603ff69e2b2
SHA1

1a5d82422f062f1ce5d6eb3cb41c56d066f7981f
SHA256

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d
SHA512

ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12
SSDEEP

12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\taskhostw.exe\", \"C:\\ProgramData\\Documents\\fontdrvhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\taskhostw.exe\", \"C:\\ProgramData\\Documents\\fontdrvhost.exe\", \"C:\\Users\\Public\\Videos\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft OneDrive\\setup\\SppExtComObj.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\taskhostw.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\taskhostw.exe\", \"C:\\ProgramData\\Documents\\fontdrvhost.exe\", \"C:\\Users\\Public\\Videos\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\", \"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\", \"C:\\Windows\\en-US\\smss.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\", \"C:\\Windows\\debug\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5252	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4044	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	4044	schtasks.exe	88

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Executes dropped EXE 1 IoCs

pid	Process
4652	taskhostw.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Help\\Windows\\IndexStore\\en-US\\dwm.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\explorer.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\debug\\backgroundTaskHost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Documents\\My Music\\StartMenuExperienceHost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Admin\\taskhostw.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\ProgramData\\Documents\\fontdrvhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\en-US\\smss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Videos\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\ProgramData\\Microsoft OneDrive\\setup\\SppExtComObj.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\Registry.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\9f171e4e11a5db	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX9328.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX93A6.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\en-US\RCX890E.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\Help\Windows\IndexStore\en-US\dwm.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\debug\backgroundTaskHost.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Help\Windows\IndexStore\en-US\RCX86E9.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\en-US\smss.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\debug\RCX8E13.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\en-US\smss.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\debug\eddb19405b7ce1	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Help\Windows\IndexStore\en-US\dwm.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\en-US\RCX898C.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\debug\RCX8E82.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\debug\backgroundTaskHost.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\Help\Windows\IndexStore\en-US\6cb0b6c459d5d3	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Help\Windows\IndexStore\en-US\RCX86EA.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\en-US\69ddcba757bf72	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4692	schtasks.exe
4032	schtasks.exe
5008	schtasks.exe
1300	schtasks.exe
5732	schtasks.exe
1672	schtasks.exe
2760	schtasks.exe
3060	schtasks.exe
4748	schtasks.exe
5032	schtasks.exe
4740	schtasks.exe
1528	schtasks.exe
1260	schtasks.exe
2852	schtasks.exe
3744	schtasks.exe
5292	schtasks.exe
4768	schtasks.exe
3896	schtasks.exe
4888	schtasks.exe
4960	schtasks.exe
1060	schtasks.exe
1012	schtasks.exe
4944	schtasks.exe
3576	schtasks.exe
4668	schtasks.exe
4764	schtasks.exe
2104	schtasks.exe
4192	schtasks.exe
1664	schtasks.exe
4976	schtasks.exe
5792	schtasks.exe
1888	schtasks.exe
232	schtasks.exe
368	schtasks.exe
5720	schtasks.exe
4980	schtasks.exe
4872	schtasks.exe
3208	schtasks.exe
1384	schtasks.exe
636	schtasks.exe
2040	schtasks.exe
3692	schtasks.exe
3440	schtasks.exe
4824	schtasks.exe
4020	schtasks.exe
3108	schtasks.exe
5252	schtasks.exe
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Token: SeDebugPrivilege	4652	taskhostw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 5064	1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	143
PID 1840 wrote to memory of 5064	1840	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	143
PID 5064 wrote to memory of 996	5064	cmd.exe	145
PID 5064 wrote to memory of 996	5064	cmd.exe	145
PID 5064 wrote to memory of 4652	5064	cmd.exe	151
PID 5064 wrote to memory of 4652	5064	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
"C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyA6Uc1OxI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:996
- - C:\Users\Admin\taskhostw.exe
    "C:\Users\Admin\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc MINUTE /mo 9 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONSTART /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Windows\IndexStore\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\Windows\IndexStore\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Windows\Help\Windows\IndexStore\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\IndexStore\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Windows\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONSTART /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONSTART /tr "'C:\Users\Public\Documents\My Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONSTART /tr "'C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1dd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONSTART /tr "'C:\Users\Admin\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\ProgramData\Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Documents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONSTART /tr "'C:\ProgramData\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Microsoft OneDrive\setup\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\PackageManifests\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Filesize
999KB

MD5
b29609dd11d191566a2bb046f39b44d3

SHA1
43d4b008935dd314838c2dc7892332e02a2b8208

SHA256
7f32fc4a218cb09906a7a23c10c8e698a9cc0c322b94eb67f8f964b1cb1dd6fe

SHA512
8176a63ace3bcd98dc5507d1e5e5d113e887716f5e2476d1f604e48e435e58accade1201d2823a5fbf56e4b16b9e752d834c6155ddcf0f2c92998f41ac2d5fed

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\explorer.exe

Filesize
999KB

MD5
7c3748401169a78459eb9603ff69e2b2

SHA1
1a5d82422f062f1ce5d6eb3cb41c56d066f7981f

SHA256
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d

SHA512
ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\explorer.exe

Filesize
999KB

MD5
204f10e085ee403f0c94abb643dc4e20

SHA1
67795b42fa3baf927915c22ce489cc3eb2ce2e39

SHA256
f2ae3cb87bcc8341df4922002c610657ee335f5b031be9978652e7cbeb2e9747

SHA512
2db1dcb34a8a0091145c8347ca9da68fe67847913011155082a618b1a4d6756ceaf3a9e130b64f25d2c6e7ce49bf3aae9851dcae3196f959537e2a2264298244

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyA6Uc1OxI.bat

Filesize
192B

MD5
bcdbdfc60a9c26e616b4908d1ea3b625

SHA1
295ec37fcfcf7b0f759eee24c33856a53368bf90

SHA256
bf4fa7f2b884006049a625c78af6a5db6396111851b1e9da16e082be908916fa

SHA512
f5ba2a10c6ef020140384c3c74f45dd7e81cda1b3791b8f89b41508066158bd6678941b9e5339b3955bcc68ddc1efb2feffd5aaf06cf09f663f40f20af17e58b

Download Submit
C:\Users\Public\Music\StartMenuExperienceHost.exe

Filesize
999KB

MD5
a73b1dd144ac564f13d4f2bd2e0eac84

SHA1
ad14f219bd41da2998b435ac1a555afb04bf700f

SHA256
946e123db8541f40bcdc2adf6b3804679ccc1ba46426ac970f54a3713d9b0b58

SHA512
a0c3d0b7cb901d363ade63a3758dce20836bb60ffe4dfea154577a09c76b60261ce92f3681ad6487dfb586fb71cbefd5773221a2e63f21742e612d9f481ebb06

Download Submit
C:\Windows\debug\backgroundTaskHost.exe

Filesize
999KB

MD5
5c8efcbd0634139ad025345a909d0e89

SHA1
7ce70ed85f7fcfcde5e0203ef4cf398147c6cf15

SHA256
f6e44a3af56011de296d051ce317b365087f37444082addd9f132233e590e945

SHA512
b4a9eec5ba16b9a2bee1ebc80b03f5bfa47a14ca129f94f37bf0de318d2dcdc7232601b204cec0072f38046b6e1b661b08b005c35083a23b0e57bc5feeea98e9

Download Submit
memory/1840-4-0x0000000002280000-0x00000000022D0000-memory.dmp

Filesize
320KB

Download
memory/1840-0-0x00007FFF46383000-0x00007FFF46385000-memory.dmp

Filesize
8KB

Download
memory/1840-8-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/1840-9-0x0000000002270000-0x000000000227E000-memory.dmp

Filesize
56KB

Download
memory/1840-10-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/1840-11-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/1840-7-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1840-6-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/1840-5-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/1840-3-0x00000000008C0000-0x00000000008DC000-memory.dmp

Filesize
112KB

Download
memory/1840-2-0x00007FFF46380000-0x00007FFF46E41000-memory.dmp

Filesize
10.8MB

Download
memory/1840-177-0x00007FFF46383000-0x00007FFF46385000-memory.dmp

Filesize
8KB

Download
memory/1840-184-0x00007FFF46380000-0x00007FFF46E41000-memory.dmp

Filesize
10.8MB

Download
memory/1840-1-0x0000000000010000-0x0000000000110000-memory.dmp

Filesize
1024KB

Download