dcrat | fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f148dd5c5e1754e666715462f5a410b.exe
Size

885KB
MD5

2f148dd5c5e1754e666715462f5a410b
SHA1

0c5f8fcab489df669639c334af2e1f1e4868fab6
SHA256

070cd87bc58c7b6dc8a21b89e93a548f173fcc7668f68c2e9462ce18eeccf11a
SHA512

a515fe57b44d71a0709e9a1cb56f5c2f87bc9cf609ee111af21b12bae620305a2df102b93d34c48784bbcdba39092e8eeb2be5f15cbf99ba256c973172c7e4fe
SSDEEP

12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1328	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral8/memory/2084-1-0x0000000000680000-0x0000000000764000-memory.dmp	dcrat
behavioral8/files/0x0007000000024156-19.dat	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	2f148dd5c5e1754e666715462f5a410b.exe

Executes dropped EXE 12 IoCs

pid	Process
3324	services.exe
3568	services.exe
1784	services.exe
2924	services.exe
3460	services.exe
4728	services.exe
4312	services.exe
4412	services.exe
3528	services.exe
3096	services.exe
5068	services.exe
5016	services.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0409\OfficeClickToRun.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\SysWOW64\0409\e6c9b481da804f	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\SysWOW64\0409\RCXB324.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\SysWOW64\0409\RCXB325.tmp	2f148dd5c5e1754e666715462f5a410b.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\attachments\SppExtComObj.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files\Crashpad\attachments\e1ef82546f0b02	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB2CB.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Google\RCXB2DD.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Google\RCXB2DE.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\ee2ad38f3d4382	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Google\RuntimeBroker.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXB21E.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXB2DC.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXB21F.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB2BA.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXB2DB.tmp	2f148dd5c5e1754e666715462f5a410b.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\Deployment\5b884080fd4f94	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\Panther\actionqueue\System.exe	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\RCXB297.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\RCXB2A8.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\ModemLogs\RCXB312.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXB326.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXB337.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\Sun\Java\Deployment\fontdrvhost.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\ModemLogs\services.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\ModemLogs\c5b4cb5e9653cc	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\Panther\actionqueue\27d1bcfc3c54e0	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\ModemLogs\RCXB313.tmp	2f148dd5c5e1754e666715462f5a410b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	2f148dd5c5e1754e666715462f5a410b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4244	schtasks.exe
1780	schtasks.exe
1200	schtasks.exe
2076	schtasks.exe
4456	schtasks.exe
3500	schtasks.exe
4564	schtasks.exe
5092	schtasks.exe
3860	schtasks.exe
1084	schtasks.exe
380	schtasks.exe
1352	schtasks.exe
3552	schtasks.exe
3896	schtasks.exe
372	schtasks.exe
1576	schtasks.exe
2756	schtasks.exe
3392	schtasks.exe
3720	schtasks.exe
664	schtasks.exe
2284	schtasks.exe
1308	schtasks.exe
4252	schtasks.exe
4628	schtasks.exe
3800	schtasks.exe
4772	schtasks.exe
2992	schtasks.exe
3348	schtasks.exe
1400	schtasks.exe
3292	schtasks.exe
3516	schtasks.exe
392	schtasks.exe
4604	schtasks.exe
4888	schtasks.exe
2088	schtasks.exe
1356	schtasks.exe
4892	schtasks.exe
3540	schtasks.exe
2440	schtasks.exe
2660	schtasks.exe
1080	schtasks.exe
4944	schtasks.exe
4084	schtasks.exe
1908	schtasks.exe
1816	schtasks.exe
4940	schtasks.exe
1500	schtasks.exe
5036	schtasks.exe
4444	schtasks.exe
1608	schtasks.exe
952	schtasks.exe
64	schtasks.exe
5068	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
2084	2f148dd5c5e1754e666715462f5a410b.exe
3324	services.exe
3568	services.exe
3568	services.exe
1784	services.exe
1784	services.exe
2924	services.exe
2924	services.exe
3460	services.exe
3460	services.exe
4728	services.exe
4728	services.exe
4312	services.exe
4312	services.exe
4412	services.exe
4412	services.exe
3528	services.exe
3528	services.exe
3096	services.exe
3096	services.exe
5068	services.exe
5068	services.exe
5016	services.exe
5016	services.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	2f148dd5c5e1754e666715462f5a410b.exe
Token: SeDebugPrivilege	3324	services.exe
Token: SeDebugPrivilege	3568	services.exe
Token: SeDebugPrivilege	1784	services.exe
Token: SeDebugPrivilege	2924	services.exe
Token: SeDebugPrivilege	3460	services.exe
Token: SeDebugPrivilege	4728	services.exe
Token: SeDebugPrivilege	4312	services.exe
Token: SeDebugPrivilege	4412	services.exe
Token: SeDebugPrivilege	3528	services.exe
Token: SeDebugPrivilege	3096	services.exe
Token: SeDebugPrivilege	5068	services.exe
Token: SeDebugPrivilege	5016	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3904	2084	2f148dd5c5e1754e666715462f5a410b.exe	144
PID 2084 wrote to memory of 3904	2084	2f148dd5c5e1754e666715462f5a410b.exe	144
PID 3904 wrote to memory of 4484	3904	cmd.exe	146
PID 3904 wrote to memory of 4484	3904	cmd.exe	146
PID 3904 wrote to memory of 3324	3904	cmd.exe	147
PID 3904 wrote to memory of 3324	3904	cmd.exe	147
PID 3324 wrote to memory of 4320	3324	services.exe	150
PID 3324 wrote to memory of 4320	3324	services.exe	150
PID 3324 wrote to memory of 4796	3324	services.exe	151
PID 3324 wrote to memory of 4796	3324	services.exe	151
PID 4320 wrote to memory of 3568	4320	WScript.exe	156
PID 4320 wrote to memory of 3568	4320	WScript.exe	156
PID 3568 wrote to memory of 4944	3568	services.exe	157
PID 3568 wrote to memory of 4944	3568	services.exe	157
PID 3568 wrote to memory of 4368	3568	services.exe	158
PID 3568 wrote to memory of 4368	3568	services.exe	158
PID 4944 wrote to memory of 1784	4944	WScript.exe	159
PID 4944 wrote to memory of 1784	4944	WScript.exe	159
PID 1784 wrote to memory of 3048	1784	services.exe	161
PID 1784 wrote to memory of 3048	1784	services.exe	161
PID 1784 wrote to memory of 2088	1784	services.exe	162
PID 1784 wrote to memory of 2088	1784	services.exe	162
PID 3048 wrote to memory of 2924	3048	WScript.exe	163
PID 3048 wrote to memory of 2924	3048	WScript.exe	163
PID 2924 wrote to memory of 1516	2924	services.exe	164
PID 2924 wrote to memory of 1516	2924	services.exe	164
PID 2924 wrote to memory of 2528	2924	services.exe	165
PID 2924 wrote to memory of 2528	2924	services.exe	165
PID 1516 wrote to memory of 3460	1516	WScript.exe	166
PID 1516 wrote to memory of 3460	1516	WScript.exe	166
PID 3460 wrote to memory of 4624	3460	services.exe	167
PID 3460 wrote to memory of 4624	3460	services.exe	167
PID 3460 wrote to memory of 1988	3460	services.exe	168
PID 3460 wrote to memory of 1988	3460	services.exe	168
PID 4624 wrote to memory of 4728	4624	WScript.exe	170
PID 4624 wrote to memory of 4728	4624	WScript.exe	170
PID 4728 wrote to memory of 4416	4728	services.exe	171
PID 4728 wrote to memory of 4416	4728	services.exe	171
PID 4728 wrote to memory of 3416	4728	services.exe	172
PID 4728 wrote to memory of 3416	4728	services.exe	172
PID 4416 wrote to memory of 4312	4416	WScript.exe	173
PID 4416 wrote to memory of 4312	4416	WScript.exe	173
PID 4312 wrote to memory of 1220	4312	services.exe	174
PID 4312 wrote to memory of 1220	4312	services.exe	174
PID 4312 wrote to memory of 4892	4312	services.exe	175
PID 4312 wrote to memory of 4892	4312	services.exe	175
PID 1220 wrote to memory of 4412	1220	WScript.exe	176
PID 1220 wrote to memory of 4412	1220	WScript.exe	176
PID 4412 wrote to memory of 4508	4412	services.exe	177
PID 4412 wrote to memory of 4508	4412	services.exe	177
PID 4412 wrote to memory of 1516	4412	services.exe	178
PID 4412 wrote to memory of 1516	4412	services.exe	178
PID 4508 wrote to memory of 3528	4508	WScript.exe	180
PID 4508 wrote to memory of 3528	4508	WScript.exe	180
PID 3528 wrote to memory of 4876	3528	services.exe	181
PID 3528 wrote to memory of 4876	3528	services.exe	181
PID 3528 wrote to memory of 4912	3528	services.exe	182
PID 3528 wrote to memory of 4912	3528	services.exe	182
PID 4876 wrote to memory of 3096	4876	WScript.exe	183
PID 4876 wrote to memory of 3096	4876	WScript.exe	183
PID 3096 wrote to memory of 3296	3096	services.exe	184
PID 3096 wrote to memory of 3296	3096	services.exe	184
PID 3096 wrote to memory of 4908	3096	services.exe	185
PID 3096 wrote to memory of 4908	3096	services.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2f148dd5c5e1754e666715462f5a410b.exe
"C:\Users\Admin\AppData\Local\Temp\2f148dd5c5e1754e666715462f5a410b.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9yikd2SKJw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4484
- - C:\Windows\ModemLogs\services.exe
    "C:\Windows\ModemLogs\services.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e547772-7689-40dd-acb7-f47bf56efb0a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\727b0b9e-83b8-40b0-857c-30cb8833ae9d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449b2e73-d070-4a8b-a462-4afbfaa692ec.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671d659a-aedb-476e-a84b-1b623e09d103.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe871ae8-15c7-4754-bb65-cc012a22bb7b.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f08b8287-1471-4a3d-8266-22588348bc5d.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b52f55f5-94b1-492f-9670-0effe4b98919.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b0fcb10-b1cf-4feb-94e6-bfe815aeb2fb.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7221e38c-fa25-4cf0-b9c6-0e272cb6e93b.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d9c20a7-de16-402f-b814-8219bfa36669.vbs"
        22⤵
        
        PID:3296
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\443f5dea-5242-45dc-a646-df48f0db5278.vbs"
        24⤵
        
        PID:872
        
        C:\Windows\ModemLogs\services.exe
        
        C:\Windows\ModemLogs\services.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ae0a130-e796-4e44-a73a-c221aea2599d.vbs"
        26⤵
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\040f9558-39d1-4d22-8cf3-8460b91c489b.vbs"
        26⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95408a1-d076-4af9-af4c-ace70f65ed12.vbs"
        24⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf5bb9b-09ce-4a75-84c5-f3fcf631460b.vbs"
        22⤵
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1dac3c1-d5ef-46d9-8c4b-9f95e2753d2c.vbs"
        20⤵
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a42ac4c3-b90d-4180-b28e-9e2e373fb3d4.vbs"
        18⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cc0a08e-f328-451c-b69a-7b655080127f.vbs"
        16⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8efae2d4-7b90-40ac-b2db-96b5f7dce2d3.vbs"
        14⤵
        
        PID:3416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2d0332b-0f76-4512-8647-d75c66c82ff2.vbs"
        12⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5bbde0f-d725-405b-90b7-be79013bd320.vbs"
        10⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dcd7347-73fa-4f8f-9687-6c71398ec4b8.vbs"
        8⤵
        
        PID:2088
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a813a66-9e3e-4df3-a49a-eabdc9c9af45.vbs"
        6⤵
        
        PID:4368
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dac6e44-11ed-402b-af83-bbe3bfaceb1d.vbs"
      4⤵
      PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\d9c22b4eaa3c0b9c12c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\0409\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SysWOW64\0409\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\0409\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dac6e44-11ed-402b-af83-bbe3bfaceb1d.vbs

Filesize
485B

MD5
a74a375591463d665944065d34499782

SHA1
632efdb8b57a1ca4ff85153c88ff97107acbe9d4

SHA256
5c3e403c73103bef9838edaa2d3d0a6c3861441aeeda1dd5ba69f30cbc613495

SHA512
c9121ce2b70071a77682c2b58cfbe49f0810f76caecc289f3783ce5a5bbca51ed303862b19ebf1d5327ded4acfa561abcf16235597a5aeb379375527a40ae259

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b0fcb10-b1cf-4feb-94e6-bfe815aeb2fb.vbs

Filesize
709B

MD5
7a0fc97a821a6f58b5d8053ef9420c56

SHA1
2e4680648da573273b09054b3bc1096bc82fdb4a

SHA256
aa83cf5f350df167fe2a91741891d23409805d42ef2c54b9240e0ff59de7ce57

SHA512
1cd4e6c432865e27dacef46342829b66ae0cef252577f9b3587ba4ab474167bce0efc82272e55f7f2ee92c61effce57f47a9183c5f0aa8cda7426cdee9e97992

Download Submit
C:\Users\Admin\AppData\Local\Temp\443f5dea-5242-45dc-a646-df48f0db5278.vbs

Filesize
709B

MD5
c19b6a0cf505b3cfc8f02c2fc0b5e690

SHA1
8d176cf1c59ba013efd1cb2a7b939ec5684a1444

SHA256
27689910e0b0762d7323be082df5c21183d1d7bbff85c5533c7f05d5cb55bb1a

SHA512
64e5bec49bda1640e4595989cbc84cade99557de2a554bbaaa81f48755d9ac70d08aa5e4341c18b34bec1876c40526c9eb5e2a30ae0f257995733e3ccebf571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\449b2e73-d070-4a8b-a462-4afbfaa692ec.vbs

Filesize
709B

MD5
36f583793310974cb7949e0769a6281d

SHA1
b3b563304117f513222d37371230269113b1d621

SHA256
1eecbe5beb06239b4ae574ccf0c3f866deaf0710c3d4fc4c845d9b324f12166b

SHA512
6506a841948b5af2ab6048727eff8cf9044620d45e8f77e5fc8d1bb8d7325d44c79e4bbf06bf301b84e47f4a0216f26ff71097cc8625c76653b333cdd12ad998

Download Submit
C:\Users\Admin\AppData\Local\Temp\671d659a-aedb-476e-a84b-1b623e09d103.vbs

Filesize
709B

MD5
74d952d6382235ed0a1fd88a2c5e7051

SHA1
60dce5916b3fe3d9b9ab0919e2c3a4c8c2d8f785

SHA256
103302a7f9004dd67a5b2cade39a06082bb28a2e1214f7350d0571d2d52ca703

SHA512
155245232d9a9fee614a23a2cad4c77ab061123ddbdd204af81833625602efaddb4fd429e771587290711abec0ab2be1aa65d419b2f23c98e325525a6187c527

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e547772-7689-40dd-acb7-f47bf56efb0a.vbs

Filesize
709B

MD5
ae1558fa7ea2c678761e92ec84c73775

SHA1
5baf5ab2c14ab9c69c235512d5a61535624d22ef

SHA256
d2366874d3fa187d5cd3f6e2749a46d8ef64b309c918a8d8c843d629a94004e8

SHA512
621ef844c27e97d7b1c40e58980fedaebca02a6f6a8824e00b012cac6e262117ebbf473161bc6afce1e4c5ff6a15e62fa7b86f840bf9c3e6c35422416a790064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7221e38c-fa25-4cf0-b9c6-0e272cb6e93b.vbs

Filesize
709B

MD5
bea5a3cfd56f16e0c9f812e85e1777a0

SHA1
de03b9af35d9ea9a1cf2bcae36a268931d19eda0

SHA256
10a528da80a474b5e9d1ea7fdb570db7c559148e9b18e8ff9254bbf5d7e6520b

SHA512
5dabaec70cf524f68146de092a69720c982ce6e891fb44bdccdc488103fbe39d6a5651637b446d800890ad981e071b06399f19ac5ea8eeab868d1a0606ac46a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\727b0b9e-83b8-40b0-857c-30cb8833ae9d.vbs

Filesize
709B

MD5
51fca70fa16fb16cf9554e7789512a2a

SHA1
2acbc83b07529c809dbd371d3b942cb449c4cb32

SHA256
cf6679082f063eba2767bddcc873a3f578367d8f9571acb873e04277ead40604

SHA512
76eb2978251867a40fbcf2d909005773cb73daf5ef646973c4e53611d5896505dd7f1583123c5859409be60c7bb173391e546d6a190d8a47c196f30437cf87d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d9c20a7-de16-402f-b814-8219bfa36669.vbs

Filesize
709B

MD5
3e84996b3c35143cf98361ac70df3934

SHA1
be638e29b090692821ec51bcf892e4b927c8de3d

SHA256
88b6e60fd9613456a87756f3c71460080cf68ccec327dfc28903ae2fd50612c4

SHA512
4a07fcf9c1a4c9c315ff8bfe3700feb86ab18429395f4d176342d1d13e4b50030c3e1edfb3d1771566b94de9239e5af091521e21cedcc6bed3986a39c2ed92f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ae0a130-e796-4e44-a73a-c221aea2599d.vbs

Filesize
709B

MD5
e27ac5e6b06633ef515ccc6094f04934

SHA1
1ce36a55fd65e430f11b272c7ec617a04069784a

SHA256
4dfad8425db7324b41f45dda28ac1a65c721735d0d54a777242cfed03f112e8d

SHA512
77dbf0bd34f552706d4ff357602880a080c70399618c603b1bef1f0eda1263e672eeccb0737ad907ec7ebdee2c8fdf5214216b7c836510f9aebc88b7be997bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9yikd2SKJw.bat

Filesize
198B

MD5
9df70d9b70689f215ac75cbd7e10d113

SHA1
cf07ef8cd26077199e5ba62099b6d3abdf956cf6

SHA256
d5eaf105a9f78482d3e8d87aada4fddf189a34de77a8e5c344d55c359748f5d8

SHA512
7e1d1fca0b33d6b087e7321b7718f66f72d2b2a3cd4d1afa7b69a9c6415cad76c34245894b480e8722602397fb2e1ec5188fb3d756a11396fbb11280158a71d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b52f55f5-94b1-492f-9670-0effe4b98919.vbs

Filesize
709B

MD5
1fc4535255594c537813f5ab178b4a53

SHA1
df85f76b97eed61ac6d77d28421f93092998a9bb

SHA256
d96cd4cc2f616bdd8b7d7cd54f5f6db8f05fe2f3ea56f6c8ee19bc4f85b9d7ac

SHA512
0601b75dd5d6e4876565b971f00af7e80bd457dbd3835f6f0b138a788627daa2873fbd780b84524ffb11f43a31c0905003f7168b63c8621a2930c9db12420c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\f08b8287-1471-4a3d-8266-22588348bc5d.vbs

Filesize
709B

MD5
799f174ac419b0f6619b417e6ae32ca3

SHA1
2108d30ba6af881bf43cd5c97efeeefcf5e9150c

SHA256
4e01bfa881307c435bb297a382571d30cf58c854e3e227869fccf81493525c65

SHA512
d2b670d0c4ec7a248331a3db228fce984ebf6475a3303bfa48ed3ffbc93218edecc781513336ae3e65a2c6e561785da75f0d1eeb019da0955f035c0751bd13f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe871ae8-15c7-4754-bb65-cc012a22bb7b.vbs

Filesize
709B

MD5
54bf592f819ca3a4f44ce4d18f09dd3b

SHA1
37502164e473e8a63e09977a591de73fbb5e9fda

SHA256
f2af9465872ffab6ada367f72a307b10804718f9c6d3ba168d71137284b2092b

SHA512
d40051c6ad868355c62e32424adb2ad24e1aa79d0a469a9c013e33a5f95d586cb69d0c60343da51be210faa11e40d8529a594e4505da1844b043f530e9e37f37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\taskhostw.exe

Filesize
885KB

MD5
2f148dd5c5e1754e666715462f5a410b

SHA1
0c5f8fcab489df669639c334af2e1f1e4868fab6

SHA256
070cd87bc58c7b6dc8a21b89e93a548f173fcc7668f68c2e9462ce18eeccf11a

SHA512
a515fe57b44d71a0709e9a1cb56f5c2f87bc9cf609ee111af21b12bae620305a2df102b93d34c48784bbcdba39092e8eeb2be5f15cbf99ba256c973172c7e4fe

Download Submit
memory/2084-9-0x000000001B4D0000-0x000000001B4D8000-memory.dmp

Filesize
32KB

Download
memory/2084-256-0x00007FFDCE120000-0x00007FFDCEBE1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-6-0x000000001B4A0000-0x000000001B4B6000-memory.dmp

Filesize
88KB

Download
memory/2084-7-0x000000001B380000-0x000000001B38A000-memory.dmp

Filesize
40KB

Download
memory/2084-3-0x000000001B360000-0x000000001B37C000-memory.dmp

Filesize
112KB

Download
memory/2084-0-0x00007FFDCE123000-0x00007FFDCE125000-memory.dmp

Filesize
8KB

Download
memory/2084-8-0x000000001B4C0000-0x000000001B4CE000-memory.dmp

Filesize
56KB

Download
memory/2084-10-0x000000001B4E0000-0x000000001B4EC000-memory.dmp

Filesize
48KB

Download
memory/2084-5-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2084-4-0x000000001B4F0000-0x000000001B540000-memory.dmp

Filesize
320KB

Download
memory/2084-2-0x00007FFDCE120000-0x00007FFDCEBE1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-1-0x0000000000680000-0x0000000000764000-memory.dmp

Filesize
912KB

Download