dcrat | 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Size

1.6MB
MD5

8b03d1f60bdf0b6465c0623109e7269e
SHA1

33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512

8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1364	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1364	schtasks.exe	88

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/2732-1-0x0000000000770000-0x0000000000912000-memory.dmp	dcrat
behavioral18/files/0x0007000000024156-26.dat	dcrat
behavioral18/files/0x000b000000024183-115.dat	dcrat
behavioral18/files/0x0011000000024156-172.dat	dcrat
behavioral18/files/0x000e00000002416c-270.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
3128	powershell.exe
4332	powershell.exe
5024	powershell.exe
5116	powershell.exe
3000	powershell.exe
876	powershell.exe
1164	powershell.exe
736	powershell.exe
3380	powershell.exe
3420	powershell.exe
4392	powershell.exe
4676	powershell.exe
4516	powershell.exe
1580	powershell.exe
4788	powershell.exe
3988	powershell.exe
2780	powershell.exe
4868	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 12 IoCs

pid	Process
6068	RuntimeBroker.exe
5748	RuntimeBroker.exe
5364	RuntimeBroker.exe
2380	RuntimeBroker.exe
916	RuntimeBroker.exe
5456	RuntimeBroker.exe
6044	RuntimeBroker.exe
3104	RuntimeBroker.exe
468	RuntimeBroker.exe
5212	RuntimeBroker.exe
5096	RuntimeBroker.exe
5596	RuntimeBroker.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB7C9.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB7CA.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXCDE5.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\55b276f4edf653	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC2D0.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Uninstall Information\fontdrvhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC2CF.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXCDE6.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Common Files\Services\9e8d7a4ca61bd9	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RCXBC03.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RCXBC13.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\5b884080fd4f94	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\6203df4a6bafc7	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\de-DE\RCXB9DE.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\de-DE\RCXB9EF.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\de-DE\lsass.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\servicing\InboxFodMetadataCache\explorer.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\de-DE\lsass.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4860	schtasks.exe
4720	schtasks.exe
2648	schtasks.exe
1528	schtasks.exe
3400	schtasks.exe
2584	schtasks.exe
4560	schtasks.exe
4164	schtasks.exe
2280	schtasks.exe
2692	schtasks.exe
4264	schtasks.exe
4516	schtasks.exe
4676	schtasks.exe
3012	schtasks.exe
3420	schtasks.exe
1192	schtasks.exe
1244	schtasks.exe
1596	schtasks.exe
1636	schtasks.exe
2496	schtasks.exe
812	schtasks.exe
4620	schtasks.exe
1980	schtasks.exe
1400	schtasks.exe
1032	schtasks.exe
1412	schtasks.exe
2052	schtasks.exe
3176	schtasks.exe
428	schtasks.exe
1952	schtasks.exe
4412	schtasks.exe
1576	schtasks.exe
4180	schtasks.exe
860	schtasks.exe
1924	schtasks.exe
1888	schtasks.exe
3500	schtasks.exe
4580	schtasks.exe
3832	schtasks.exe
2772	schtasks.exe
696	schtasks.exe
1580	schtasks.exe
5024	schtasks.exe
1564	schtasks.exe
1496	schtasks.exe
3532	schtasks.exe
1968	schtasks.exe
2196	schtasks.exe
2780	schtasks.exe
3468	schtasks.exe
4756	schtasks.exe
3320	schtasks.exe
3744	schtasks.exe
2080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
5116	powershell.exe
5116	powershell.exe
736	powershell.exe
736	powershell.exe
4676	powershell.exe
4676	powershell.exe
4516	powershell.exe
4516	powershell.exe
1164	powershell.exe
1164	powershell.exe
3000	powershell.exe
3000	powershell.exe
3128	powershell.exe
3128	powershell.exe
1580	powershell.exe
1580	powershell.exe
2196	powershell.exe
2196	powershell.exe
4392	powershell.exe
4392	powershell.exe
4788	powershell.exe
4788	powershell.exe
3420	powershell.exe
3420	powershell.exe
4332	powershell.exe
4332	powershell.exe
4868	powershell.exe
4868	powershell.exe
5024	powershell.exe
5024	powershell.exe
876	powershell.exe
876	powershell.exe
2780	powershell.exe
2780	powershell.exe
3988	powershell.exe
3988	powershell.exe
3380	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	6068	RuntimeBroker.exe
Token: SeDebugPrivilege	5748	RuntimeBroker.exe
Token: SeDebugPrivilege	5364	RuntimeBroker.exe
Token: SeDebugPrivilege	2380	RuntimeBroker.exe
Token: SeDebugPrivilege	916	RuntimeBroker.exe
Token: SeDebugPrivilege	5456	RuntimeBroker.exe
Token: SeDebugPrivilege	6044	RuntimeBroker.exe
Token: SeDebugPrivilege	3104	RuntimeBroker.exe
Token: SeDebugPrivilege	468	RuntimeBroker.exe
Token: SeDebugPrivilege	5212	RuntimeBroker.exe
Token: SeDebugPrivilege	5096	RuntimeBroker.exe
Token: SeDebugPrivilege	5596	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3380	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	143
PID 2732 wrote to memory of 3380	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	143
PID 2732 wrote to memory of 1580	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	144
PID 2732 wrote to memory of 1580	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	144
PID 2732 wrote to memory of 736	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	145
PID 2732 wrote to memory of 736	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	145
PID 2732 wrote to memory of 4516	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	146
PID 2732 wrote to memory of 4516	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	146
PID 2732 wrote to memory of 5116	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	147
PID 2732 wrote to memory of 5116	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	147
PID 2732 wrote to memory of 4676	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	148
PID 2732 wrote to memory of 4676	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	148
PID 2732 wrote to memory of 4392	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	149
PID 2732 wrote to memory of 4392	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	149
PID 2732 wrote to memory of 1164	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	150
PID 2732 wrote to memory of 1164	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	150
PID 2732 wrote to memory of 5024	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	151
PID 2732 wrote to memory of 5024	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	151
PID 2732 wrote to memory of 4332	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	152
PID 2732 wrote to memory of 4332	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	152
PID 2732 wrote to memory of 3128	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	153
PID 2732 wrote to memory of 3128	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	153
PID 2732 wrote to memory of 2196	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	154
PID 2732 wrote to memory of 2196	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	154
PID 2732 wrote to memory of 4868	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	155
PID 2732 wrote to memory of 4868	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	155
PID 2732 wrote to memory of 2780	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	156
PID 2732 wrote to memory of 2780	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	156
PID 2732 wrote to memory of 876	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	157
PID 2732 wrote to memory of 876	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	157
PID 2732 wrote to memory of 3988	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	158
PID 2732 wrote to memory of 3988	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	158
PID 2732 wrote to memory of 4788	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	159
PID 2732 wrote to memory of 4788	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	159
PID 2732 wrote to memory of 3420	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	160
PID 2732 wrote to memory of 3420	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	160
PID 2732 wrote to memory of 3000	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	161
PID 2732 wrote to memory of 3000	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	161
PID 2732 wrote to memory of 6068	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	181
PID 2732 wrote to memory of 6068	2732	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	181
PID 6068 wrote to memory of 5464	6068	RuntimeBroker.exe	182
PID 6068 wrote to memory of 5464	6068	RuntimeBroker.exe	182
PID 6068 wrote to memory of 5620	6068	RuntimeBroker.exe	183
PID 6068 wrote to memory of 5620	6068	RuntimeBroker.exe	183
PID 5464 wrote to memory of 5748	5464	WScript.exe	184
PID 5464 wrote to memory of 5748	5464	WScript.exe	184
PID 5748 wrote to memory of 2992	5748	RuntimeBroker.exe	188
PID 5748 wrote to memory of 2992	5748	RuntimeBroker.exe	188
PID 5748 wrote to memory of 3012	5748	RuntimeBroker.exe	189
PID 5748 wrote to memory of 3012	5748	RuntimeBroker.exe	189
PID 2992 wrote to memory of 5364	2992	WScript.exe	194
PID 2992 wrote to memory of 5364	2992	WScript.exe	194
PID 5364 wrote to memory of 5156	5364	RuntimeBroker.exe	195
PID 5364 wrote to memory of 5156	5364	RuntimeBroker.exe	195
PID 5364 wrote to memory of 4748	5364	RuntimeBroker.exe	196
PID 5364 wrote to memory of 4748	5364	RuntimeBroker.exe	196
PID 5156 wrote to memory of 2380	5156	WScript.exe	201
PID 5156 wrote to memory of 2380	5156	WScript.exe	201
PID 2380 wrote to memory of 5656	2380	RuntimeBroker.exe	202
PID 2380 wrote to memory of 5656	2380	RuntimeBroker.exe	202
PID 2380 wrote to memory of 744	2380	RuntimeBroker.exe	203
PID 2380 wrote to memory of 744	2380	RuntimeBroker.exe	203
PID 5656 wrote to memory of 916	5656	WScript.exe	204
PID 5656 wrote to memory of 916	5656	WScript.exe	204

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Users\Admin\Recent\RuntimeBroker.exe
  "C:\Users\Admin\Recent\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:6068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d481ea4f-eaf6-4f5a-92c5-6292586b303f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5464
  - - C:\Users\Admin\Recent\RuntimeBroker.exe
      C:\Users\Admin\Recent\RuntimeBroker.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b943ece4-5f3c-499e-9bf5-922357f3dbdf.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e3198d-7084-42ad-920f-dba124e31d11.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5156
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2395a278-c7cc-4517-a65c-150eb79e12fe.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eefd4a25-c381-43c2-b675-8731b5239b7f.vbs"
        11⤵
        
        PID:3960
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cce6cd55-c856-4800-82ef-80d625b9f183.vbs"
        13⤵
        
        PID:5520
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa88264b-173a-4c9a-a2fb-86f9f5df373c.vbs"
        15⤵
        
        PID:5304
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ddd023e-b825-4396-b032-436baa5096f6.vbs"
        17⤵
        
        PID:3504
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f005341-5865-4d0d-8495-42dedb8da939.vbs"
        19⤵
        
        PID:4164
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab20ebb-59de-4491-9e31-fb0ca465f98b.vbs"
        21⤵
        
        PID:5936
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db098804-eaa4-4fea-b1a4-998ccebcf533.vbs"
        23⤵
        
        PID:4700
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        
        C:\Users\Admin\Recent\RuntimeBroker.exe
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b360418a-9589-475c-8281-ea23d60cd333.vbs"
        23⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac0e408-793d-4bec-8df3-2f946547d6db.vbs"
        21⤵
        
        PID:5808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\740f474d-fbc6-4e70-9a96-b09bad997ed3.vbs"
        19⤵
        
        PID:5584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d25e765-068b-4d09-a655-263c7795fc3d.vbs"
        17⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f14c8f2-c763-4ae1-9acf-86389fff29d6.vbs"
        15⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeaa8eac-87ee-449e-92d1-6c91bb3e4ec1.vbs"
        13⤵
        
        PID:5264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69f96b2c-1b5c-46ee-b51c-a4898a1c55ce.vbs"
        11⤵
        
        PID:5580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7db5887-4ac4-41e2-b648-4f3be53febc0.vbs"
        9⤵
        
        PID:744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac061e4-e7f9-4dbe-b070-eaf0ceb916dd.vbs"
        7⤵
        
        PID:4748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f816631-af94-4dde-a924-c43d5fe1283f.vbs"
        5⤵
        
        PID:3012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5616a14c-de2f-44b8-8c2d-ce6d68eaa14c.vbs"
    3⤵
    PID:5620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30552f7617959d837dbc5167ec0a3824

SHA1
a471b8d31983b3885cee92ead3f3f2b6621c1ebe

SHA256
c8f05399999cda0a1d159d9be58d5d7e39b783290d57a238cfdb22c000301c18

SHA512
37af8e93814f95ea8773b093803ca74475fcc2f0006bcbbd0ecc28d6ab6acb742afed81d5b859f6429128761b440a355f2b35fe38242fae9d8069c8ab23c84b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
452593747a6f6f0b2e08d8502e1ec6e7

SHA1
027c3a7f5f18e7a1e96bbf2a3d3c267e72821836

SHA256
495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d

SHA512
17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
48b2b59bd1016475be4de4e087bb8169

SHA1
ecf9263187e29dc612224a6e1a4c5243ed110040

SHA256
df0e6548235499fc2881ef422771ee034eb86dadbcecb94f4c324ea1a0a7a209

SHA512
2186e40f82a80a3a89ec630c4d148b9f10424888635632e188eb32fc3f2d91e9a59fdf205810f4d33d3319cf35f9fcb8808c89ab7f7d553296c3969c1a1feb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af1324e7a4e3e6cfc7ee7add0391f0b9

SHA1
19117163248a95e5ceb83b6dc8c21e396f33bcaf

SHA256
a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52

SHA512
6a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f005341-5865-4d0d-8495-42dedb8da939.vbs

Filesize
714B

MD5
0d06d8856eafbd12e01b3f01a6b1ff66

SHA1
5a49ff5de9b27d19cc1b7e55f9b85509a2f92d12

SHA256
83201592612db6e37cd267cf51b5cfb4e2c6130492d5f4431d5bbb0c3bdff08b

SHA512
5004913752d69f45da91b420310c0ba6fc9558f33400da486b15ae451fe77a9d9813a90e47f1985c0fa9f28249e3c321ccb50c7c312edd479fe51276458d9cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10e3198d-7084-42ad-920f-dba124e31d11.vbs

Filesize
715B

MD5
d83ec6d086dcf7efe0f3e0e064f73587

SHA1
b527001a736133532c54ba8e6a18e096cb5dee5a

SHA256
a03de9211655120fdddb6c2480018f95b0e42a235e664a4337a2bbda71811b35

SHA512
f50618fa67de7f7c597f56a4bc0236791e9ae651240085fa1a89b27e1c8ff3eeee2976df01e95b966147bfbb837ce8fdecffeeefea8d0a1d9a09d7e37d27cf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2395a278-c7cc-4517-a65c-150eb79e12fe.vbs

Filesize
715B

MD5
65b9b593f51e829b5b210db754293a16

SHA1
0e54fc6a77d154dc9300d73009c38850f2e19c98

SHA256
5ae198ef84c1dfa044fdd758e7ad3ee87fd35aa0d371a92c4de4a8854cc7ef3e

SHA512
c7df026a2bf2d384d9c03d0c59f2463f6af188fb9bfbb86141e6fbfa274ad097c1e6a7a71c3a16f07e4916f04f5c926c490f6ac999ab85a7191aa1c53322db38

Download Submit
C:\Users\Admin\AppData\Local\Temp\5616a14c-de2f-44b8-8c2d-ce6d68eaa14c.vbs

Filesize
491B

MD5
a16ac61e071c7a8babbd6fe177c24503

SHA1
c4fc328a93e45af371648b0f87d04fa1a419b36e

SHA256
8113e0b6dbf74d84cf0b201e6c07f0c675d639c1d9f7c395446aa8d171ec1d57

SHA512
7b416dc315c48f32a59bd947ffb236808a5927200cd38e10b88c74b308c6faf526c49437b99b736259618cfaff484071b8ec7cb49c41d7514d89c9fccf1e44a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ddd023e-b825-4396-b032-436baa5096f6.vbs

Filesize
715B

MD5
a29206e37e9e9cd58530b2072ecec39c

SHA1
ae7dccdae8f78ba47322df83dd2f75376532d318

SHA256
d12875af02bd87eb1a9c976762a85676681f9d01a77d0e68c83d5c9306bacf0f

SHA512
c22374faecc55ab82cbfb7b0dc55ffacd7fb4a59e10eca83a6ed1c71d681ef863f65c53096f79d9a49de7c014670066609389edaf1f0756602e9852b09947908

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvbdz55r.b3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b943ece4-5f3c-499e-9bf5-922357f3dbdf.vbs

Filesize
715B

MD5
ea2ba168a1a960d3bf74d47ff2723ed1

SHA1
57d21973ece5d83cabed544569dacc10e00d5b21

SHA256
f4947b4588965189fb0eeeb75efcefa3bfb881adc38590c8ef3596f69f92d0a8

SHA512
02e945330d47813296c0709fc59e916e7f82a1bf8548fc5503b61ef719984ceb88757783b501e7d127344ae418e25d20195f72ceb0f1aaa81b59909c1368b1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cce6cd55-c856-4800-82ef-80d625b9f183.vbs

Filesize
715B

MD5
9d00d2598027ebd4b9f00eaa1db4be06

SHA1
c5092622cf0fe9d42c31daaad7256b3d7385382c

SHA256
49e789b54de3aa7d8296baaee8d7abbcd81f2165705708902085316cfad4e8d5

SHA512
8929d5c594551f1b41eaee2d9d90deb2e433d55bc7b7745a18573a1a9336089f5f101d8d9bb8723c932416f15d6da8cc81a10cf92d754f5855233cb2b1d22278

Download Submit
C:\Users\Admin\AppData\Local\Temp\d481ea4f-eaf6-4f5a-92c5-6292586b303f.vbs

Filesize
715B

MD5
ffcad7faabbc2ae13a70e31e5051dec8

SHA1
6310e51e39b79a06eb76c40f7b7da1330737d36f

SHA256
c287d949a5efda989a10179e6091090c6c3c653bed18423e64de23f2b4aa1ef9

SHA512
a314f9d3110623f8f7f7e3c0097c291d32bde19978ca3958e199a4dbb118ecb4f08f19bc870b7e9abf7981114e2a4195ae5428195eb7c6ef1440005009f9d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\db098804-eaa4-4fea-b1a4-998ccebcf533.vbs

Filesize
715B

MD5
f86d6e28dee4ae5a8dcd6b6b0e07a2b3

SHA1
64caf0f9b2a5eacc7864f431b9b68f349d27f20e

SHA256
34d765f215b75a72fa05c7230ed57f307280cb8b5e58844a24ad5a2d18d6a66f

SHA512
b481d0f8c0540aeb7888c8a8f1c2b2385cd1c8db5a1968d84ac7ce15b3b571a3dba053a92d3c0b92bc851e2e702d2a9c02b0601f813b26c1d9c808682891442c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eab20ebb-59de-4491-9e31-fb0ca465f98b.vbs

Filesize
715B

MD5
d8b3c75c6d2563a995d6f012a0c6d2d4

SHA1
82d2eb4f976431cb381b51f7abbbc0387b96589c

SHA256
c2cbef1fd8f876d78bf04a4e097201413faf236d52686b867a005661c3858c03

SHA512
78e4fae2904da470a9d1403b171aeedb67d2715f7f78802d7bd32cb9467a798bdd198bf9c758106ea6b6d4c88a209f2e0c04e7e85e26e4d34b43f9407af029a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eefd4a25-c381-43c2-b675-8731b5239b7f.vbs

Filesize
714B

MD5
5394c6d24af841729f977aaeb6b19d76

SHA1
e9aa288ed65738b440fe284b4e6e3b37ae8aa8b5

SHA256
eafa6802bd776452cf7aff79b5bea8070265e58e2092df7c78a112031bf8a7b4

SHA512
20c478815dc9f33101b471a7e5f8eddbe84f64f5d807b322f6d99295d444c1abdd80c4c930473d78b183e141269167612e1997a8b4ad9a4dab99ec20efb2a39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa88264b-173a-4c9a-a2fb-86f9f5df373c.vbs

Filesize
715B

MD5
0bf93df1b6b79cb3ec153a918419f304

SHA1
c80755e45c3bf5e644641b652488978192fa4bf4

SHA256
66f2b9832f58a560793952ffad0b0e80728cd785b00ffeb2bddc7cfcec8a905c

SHA512
bbba78f899c3b697a0c823448b5c16443905ee730626cad6e10eb9d064209f7caadd373d8bec67493dca2bdf03111060d8723154a62abc92272e13eb8857bc2f

Download Submit
C:\Users\Public\AccountPictures\SppExtComObj.exe

Filesize
1.6MB

MD5
8b03d1f60bdf0b6465c0623109e7269e

SHA1
33fb1f09f53ca182e1112ed973fce8fa97e4398f

SHA256
1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf

SHA512
8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

Download Submit
C:\Users\Public\AccountPictures\SppExtComObj.exe

Filesize
1.6MB

MD5
cf2b637d6ce2f00e73f9c384f56e4c7d

SHA1
b51ead76e7487b65815785a439466cf64dc1fb24

SHA256
eb3bc089086650585b14b85f61cf176ec41df79ebdede3b1de4a1ed7ff9e97ab

SHA512
5532ed4e22f304c729143bbb36dbe33b65e10c8c02563db19e5e2a9edde43730091bbb163d0b511af68537ff4ddfd0cfcdc6c9966deb7919beb4e247f5a638be

Download Submit
C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe

Filesize
1.6MB

MD5
6872948a18b1dfac9e62136f806bb439

SHA1
1d4d8fda1d3ddfaa4a6c6d272d5121e5cbbd7bbf

SHA256
9a7a4e98dce80395ca80d0ba80d22c2479ffdcc23332eb97d165402f6494bbdc

SHA512
92420579786621a156a7660b4445fc9bf1b417b0212a41129e783a02e97f3b040b236e1dd79c8419e1334354f68963d50e29d4ea99b5de3c22e383e875df0490

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\smss.exe

Filesize
1.6MB

MD5
4ae12627b99be1ce48139f0c094fee57

SHA1
cbae347753b7170ce6e253ab2ebc22d3b76e94d2

SHA256
d49698d763409952744118ba7aa38019eedabae69719978a41ad54e074029d7a

SHA512
0467df50ab20127d2c76f22c15f54799f2f9c1d384d0b3eac1724544719de33ff20dcba870f8b37b420263324202e3b7417b7da0c1a3e466bc4339d7cb08e34c

Download Submit
memory/2732-13-0x000000001B610000-0x000000001B61E000-memory.dmp

Filesize
56KB

Download
memory/2732-11-0x0000000002C10000-0x0000000002C1C000-memory.dmp

Filesize
48KB

Download
memory/2732-1-0x0000000000770000-0x0000000000912000-memory.dmp

Filesize
1.6MB

Download
memory/2732-213-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp

Filesize
10.8MB

Download
memory/2732-189-0x00007FFF4DAA3000-0x00007FFF4DAA5000-memory.dmp

Filesize
8KB

Download
memory/2732-17-0x000000001BE10000-0x000000001BE1C000-memory.dmp

Filesize
48KB

Download
memory/2732-14-0x000000001B620000-0x000000001B628000-memory.dmp

Filesize
32KB

Download
memory/2732-15-0x000000001B630000-0x000000001B638000-memory.dmp

Filesize
32KB

Download
memory/2732-16-0x000000001B640000-0x000000001B64A000-memory.dmp

Filesize
40KB

Download
memory/2732-12-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2732-0-0x00007FFF4DAA3000-0x00007FFF4DAA5000-memory.dmp

Filesize
8KB

Download
memory/2732-507-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp

Filesize
10.8MB

Download
memory/2732-10-0x0000000002C00000-0x0000000002C0C000-memory.dmp

Filesize
48KB

Download
memory/2732-9-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

Filesize
32KB

Download
memory/2732-6-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/2732-8-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/2732-7-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/2732-3-0x0000000002B40000-0x0000000002B5C000-memory.dmp

Filesize
112KB

Download
memory/2732-4-0x0000000002BB0000-0x0000000002C00000-memory.dmp

Filesize
320KB

Download
memory/2732-5-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2732-2-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp

Filesize
10.8MB

Download
memory/5116-333-0x00000211E40F0000-0x00000211E4112000-memory.dmp

Filesize
136KB

Download