dcrat | aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Size

1.6MB
MD5

5c40a0842a538e01695fdfb1b5268840
SHA1

77815adb386d69b1615b318ba20434663a5416bf
SHA256

76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a
SHA512

30ef7616b385e77a350310f7ea4cf193e0bca1107366c51f1808ae8d9277904fce4dfec23e72fc7fffa022b5ad87d2aa7dfa35b140b93ab84d2d87d365237a8d
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5860	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5668	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5512	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	972	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	972	schtasks.exe	88

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/5096-1-0x0000000000DD0000-0x0000000000F72000-memory.dmp	dcrat
behavioral28/files/0x00070000000242aa-26.dat	dcrat
behavioral28/files/0x00090000000242a3-102.dat	dcrat
behavioral28/files/0x00090000000242aa-115.dat	dcrat
behavioral28/files/0x00090000000242c4-126.dat	dcrat
behavioral28/files/0x000c0000000242b1-160.dat	dcrat
behavioral28/memory/6044-333-0x00000000006D0000-0x0000000000872000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5556	powershell.exe
2016	powershell.exe
4352	powershell.exe
2704	powershell.exe
5264	powershell.exe
5992	powershell.exe
5428	powershell.exe
3496	powershell.exe
3988	powershell.exe
5520	powershell.exe
5876	powershell.exe
5692	powershell.exe
5112	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Executes dropped EXE 15 IoCs

pid	Process
6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
888	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3340	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5612	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
4732	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5528	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3228	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
4288	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
6024	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3020	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
1076	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8BC9.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8BCA.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\edge_BITS_4576_120908518\RCX972B.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\edge_BITS_4576_120908518\RCX979A.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX9C60.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX9C5F.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\edge_BITS_4576_120908518\204dc3c561ac29	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\Packages\StartMenuExperienceHost.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4728	schtasks.exe
5512	schtasks.exe
4472	schtasks.exe
4524	schtasks.exe
4692	schtasks.exe
3008	schtasks.exe
3380	schtasks.exe
5668	schtasks.exe
1064	schtasks.exe
4456	schtasks.exe
1416	schtasks.exe
5860	schtasks.exe
6104	schtasks.exe
3580	schtasks.exe
2148	schtasks.exe
1812	schtasks.exe
1388	schtasks.exe
5788	schtasks.exe
5988	schtasks.exe
4856	schtasks.exe
4816	schtasks.exe
4608	schtasks.exe
2640	schtasks.exe
4208	schtasks.exe
1400	schtasks.exe
4704	schtasks.exe
4868	schtasks.exe
2868	schtasks.exe
6036	schtasks.exe
4324	schtasks.exe
1496	schtasks.exe
4132	schtasks.exe
2576	schtasks.exe
4656	schtasks.exe
4800	schtasks.exe
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
4352	powershell.exe
4352	powershell.exe
5556	powershell.exe
5556	powershell.exe
2704	powershell.exe
2704	powershell.exe
5264	powershell.exe
5264	powershell.exe
5112	powershell.exe
5112	powershell.exe
3988	powershell.exe
3988	powershell.exe
5520	powershell.exe
5520	powershell.exe
5876	powershell.exe
5876	powershell.exe
5992	powershell.exe
5992	powershell.exe
5428	powershell.exe
5428	powershell.exe
2016	powershell.exe
2016	powershell.exe
5692	powershell.exe
5692	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
5112	powershell.exe
5520	powershell.exe
5428	powershell.exe
2016	powershell.exe
5992	powershell.exe
3988	powershell.exe
4352	powershell.exe
5556	powershell.exe
2704	powershell.exe
5264	powershell.exe
5692	powershell.exe
5876	powershell.exe
6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
888	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
888	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3340	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3340	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5612	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
4732	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
5528	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
3228	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
4288	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
6024	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	5692	powershell.exe
Token: SeDebugPrivilege	6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	888	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	3340	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	5612	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	4732	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	5528	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	3228	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	4288	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	6024	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	3020	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	1076	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 5264	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	130
PID 5096 wrote to memory of 5264	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	130
PID 5096 wrote to memory of 3496	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	131
PID 5096 wrote to memory of 3496	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	131
PID 5096 wrote to memory of 2704	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	132
PID 5096 wrote to memory of 2704	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	132
PID 5096 wrote to memory of 4352	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	133
PID 5096 wrote to memory of 4352	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	133
PID 5096 wrote to memory of 3988	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	134
PID 5096 wrote to memory of 3988	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	134
PID 5096 wrote to memory of 5520	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	135
PID 5096 wrote to memory of 5520	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	135
PID 5096 wrote to memory of 5876	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	136
PID 5096 wrote to memory of 5876	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	136
PID 5096 wrote to memory of 5692	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	137
PID 5096 wrote to memory of 5692	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	137
PID 5096 wrote to memory of 5112	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	138
PID 5096 wrote to memory of 5112	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	138
PID 5096 wrote to memory of 5556	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	139
PID 5096 wrote to memory of 5556	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	139
PID 5096 wrote to memory of 2016	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	140
PID 5096 wrote to memory of 2016	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	140
PID 5096 wrote to memory of 5992	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	141
PID 5096 wrote to memory of 5992	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	141
PID 5096 wrote to memory of 5428	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	142
PID 5096 wrote to memory of 5428	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	142
PID 5096 wrote to memory of 4540	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	156
PID 5096 wrote to memory of 4540	5096	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	156
PID 4540 wrote to memory of 2892	4540	cmd.exe	158
PID 4540 wrote to memory of 2892	4540	cmd.exe	158
PID 4540 wrote to memory of 6044	4540	cmd.exe	160
PID 4540 wrote to memory of 6044	4540	cmd.exe	160
PID 6044 wrote to memory of 1444	6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	161
PID 6044 wrote to memory of 1444	6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	161
PID 6044 wrote to memory of 2868	6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	162
PID 6044 wrote to memory of 2868	6044	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	162
PID 1444 wrote to memory of 3436	1444	WScript.exe	163
PID 1444 wrote to memory of 3436	1444	WScript.exe	163
PID 3436 wrote to memory of 4608	3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	164
PID 3436 wrote to memory of 4608	3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	164
PID 3436 wrote to memory of 1184	3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	165
PID 3436 wrote to memory of 1184	3436	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	165
PID 4608 wrote to memory of 5836	4608	WScript.exe	169
PID 4608 wrote to memory of 5836	4608	WScript.exe	169
PID 5836 wrote to memory of 5740	5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	171
PID 5836 wrote to memory of 5740	5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	171
PID 5836 wrote to memory of 4684	5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	172
PID 5836 wrote to memory of 4684	5836	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	172
PID 5740 wrote to memory of 2016	5740	WScript.exe	176
PID 5740 wrote to memory of 2016	5740	WScript.exe	176
PID 2016 wrote to memory of 3824	2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	177
PID 2016 wrote to memory of 3824	2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	177
PID 2016 wrote to memory of 1960	2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	178
PID 2016 wrote to memory of 1960	2016	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	178
PID 3824 wrote to memory of 6124	3824	WScript.exe	179
PID 3824 wrote to memory of 6124	3824	WScript.exe	179
PID 6124 wrote to memory of 3288	6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	180
PID 6124 wrote to memory of 3288	6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	180
PID 6124 wrote to memory of 2856	6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	181
PID 6124 wrote to memory of 2856	6124	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	181
PID 3288 wrote to memory of 888	3288	WScript.exe	182
PID 3288 wrote to memory of 888	3288	WScript.exe	182
PID 888 wrote to memory of 3248	888	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	183
PID 888 wrote to memory of 3248	888	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	183

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
"C:\Users\Admin\AppData\Local\Temp\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2892
- - C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
    "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6044
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa5371a5-9cd8-4018-905b-8ac60b9a212f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ceb783e-547d-4327-9f40-485cbf6cc524.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfe56630-ba55-4f0f-a223-6eb27e9f687d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5740
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\543ef7a4-17ea-4f48-bb80-224354b5c9c5.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9737c72c-ec16-4af9-8e87-aceddb1dda89.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a44781e-e249-4c7d-bd52-90612e07edb1.vbs"
        14⤵
        
        PID:3248
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abfa5745-13a7-4852-acea-bf4466d0dbc6.vbs"
        16⤵
        
        PID:3416
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d6fe2f8-6a71-4f0f-afa0-1d04549060df.vbs"
        18⤵
        
        PID:4728
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4704a6eb-b6ce-432a-82e4-a1ad450c8fc4.vbs"
        20⤵
        
        PID:1476
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5ce89b7-6f29-4ad7-bb92-0c2264c3d955.vbs"
        22⤵
        
        PID:1800
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacd12c2-7fdb-4dd1-b35e-7709ea44d6af.vbs"
        24⤵
        
        PID:1116
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c3f811a-c2ae-44d8-a96f-98fdd9fd103d.vbs"
        26⤵
        
        PID:4932
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b34fda31-e4c6-4ed6-a122-326608ccb1b3.vbs"
        28⤵
        
        PID:3180
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eda8c8a-5d10-494f-a9ee-40a45e4041fa.vbs"
        30⤵
        
        PID:4308
        
        C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
        
        "C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a40cb834-481f-4764-a467-74fd9caeec9b.vbs"
        32⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af697949-386e-49cb-a26c-bb0d41ad29f1.vbs"
        32⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b71a8b1f-1313-4e95-98b6-432854a8c158.vbs"
        30⤵
        
        PID:5072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14eccf38-1a1b-4ff5-b485-f2f6a421e672.vbs"
        28⤵
        
        PID:4808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80987074-e8f9-40c1-8a08-ed292818a9f4.vbs"
        26⤵
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35e2833d-4141-4342-befe-a7dbc7ae9911.vbs"
        24⤵
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5af6ddb1-9d61-4cc5-9e7d-6caeb16b25ab.vbs"
        22⤵
        
        PID:3212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69a525b0-580f-45ff-8c92-e8a6c4c30e9a.vbs"
        20⤵
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0cebc49-ab22-4bb3-8790-82e8ed2e74c0.vbs"
        18⤵
        
        PID:3580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc48c1e0-559d-44e6-8f9d-3671bcf4dece.vbs"
        16⤵
        
        PID:5976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13d5e008-271a-4967-905d-3817d60a37ae.vbs"
        14⤵
        
        PID:5296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82011b12-d69c-4c54-9b58-46bd911e4714.vbs"
        12⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea44e16c-8aa8-43fc-8330-d38ac12c26b4.vbs"
        10⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f37c1df-6b4b-4fc3-b52c-cf852832efc7.vbs"
        8⤵
        
        PID:4684
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe091748-a97b-49b3-8678-7b65262754d8.vbs"
        6⤵
        
        PID:1184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\842b00eb-805d-48c0-8dd8-66b312755e0a.vbs"
      4⤵
      PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a7" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a7" /sc MINUTE /mo 5 /tr "'C:\f170d29a37c9c9775251\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Contacts\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Contacts\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a7" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a7" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\edge_BITS_4576_120908518\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Filesize
1.6MB

MD5
4f104584aabc4c26bbd3019277f87f7f

SHA1
82935f2de41d2daa54be5308048546c4e68898e2

SHA256
b72710cce20426a85d9ee1cf92709c84482f92ec50821f9fbd5a24786de80a1b

SHA512
72d57831db3d35f7ca219b28cfde63ed2da95b0d2353953e15c627446b860bae1dd5ff7ddcb7f75fd3bfda086fac0284463ed5cff6e5f0ea62c629d88f721181

Download Submit
C:\ProgramData\lsass.exe

Filesize
1.6MB

MD5
14871d24a3da9d4ff650ac2425ee5cf9

SHA1
586f81ce5dadd24570d55b94b912b2d92ad6de1f

SHA256
b2db18ac18b587e64b083eb9208e04dee0d34d9b2ea8b3a40cbd795a0f5619e2

SHA512
5db87a5d0cae9ce804fa1359c5ae2331b35d2a0d12bd2d296c6230fb1b632a6a39f8179ba69183adc09bb78c6b49143b37ef0d5e78b07af4cb04a3a91e742f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
984eb66ab76d3a57f9ec4642c1334404

SHA1
99601e707cf36b395ed084b2ba6c895c2c6ffc7a

SHA256
92cf7154efc40b025c009df572acf404151aa9966a205559930324904124c48f

SHA512
c74d68ea69101ff4374ab42e9fac26c24cc90b19eb1c962b47901523a627e1c00afb81bcfbfc268d1f6654115ede59ecf657604941c6fb4e245d48a1c285293d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c3cddab7d289f65843ac7ee436ff50d

SHA1
19046a0dc416df364c3be08b72166becf7ed9ca9

SHA256
c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1

SHA512
45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae19674c4dd6a419a8ce8bc65e65167

SHA1
8b3f7e010483412b803e756c850fecd29cf9fb8a

SHA256
f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd

SHA512
9865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ceb783e-547d-4327-9f40-485cbf6cc524.vbs

Filesize
786B

MD5
7b91b08e2f9b878d38bee99e5f2f8730

SHA1
d2585a56d1417a1ad62ddd0e4f4c3d12506e8ed4

SHA256
c8d64a3970f64261ca4bb867758feec83b382c06d4db6d1a468635e0acb76988

SHA512
65252a93f161ffd4552cdfe48a1e718f72417607d4eee131155a1ddc63e7561a555c73d190b4aa93571e7dc038a0c3a361f0fd5c057e197d556dffa0b3c24114

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d6fe2f8-6a71-4f0f-afa0-1d04549060df.vbs

Filesize
786B

MD5
bbd42e775a4f770efd8c8e758387eeec

SHA1
f7225bdccfa7c18954d2c34d8c9f9ce8c853281e

SHA256
e1e7c6f730a3c2f1217cfbf3ab1d68e332694917aaece7fd35c2e19544ce37d4

SHA512
a49d50b589773cab41cdd83f188312945cb8ef31f3ffd283738a89f457dfef886851dab7b8ef4218e9d5144127e871f94d31750efdb766aecbdd0f64d8ec2497

Download Submit
C:\Users\Admin\AppData\Local\Temp\4704a6eb-b6ce-432a-82e4-a1ad450c8fc4.vbs

Filesize
786B

MD5
8eb4d28f81e70de071db64ab16468a2d

SHA1
13120e0a4f1974ae87aa8c37cdfacddf839ae580

SHA256
6b8a2973c0118465f51fabbac0891d0fef0eb259eefee193269d0197c22fd68f

SHA512
a4d960f191b102041b4c932e9be6a2e056f980d6143616137d33d4edaa7cb6313a4e3c980b8fef8a190f6da0d9261c228ff087cf36c9c358c85af966810de861

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c3f811a-c2ae-44d8-a96f-98fdd9fd103d.vbs

Filesize
786B

MD5
e1c0ca572042e5a1f4952ccd896235da

SHA1
40fbce50f946ae7f048f1cf3dd2fe2b10d1b5ea3

SHA256
8b22e37fbba0129207aedc988917406044e4dae6a14c129dc1c146d58c9ae487

SHA512
6cacefab9679cf9c3172e516f7d143a1920f1ee6d9d41bdc773cb28e74fd0f7bb734218e54af99a04be5f9df3260ce9d3b184beef44f3309d24d7f588eb55fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\543ef7a4-17ea-4f48-bb80-224354b5c9c5.vbs

Filesize
786B

MD5
2c79926dbc0a6882b3dde1c39b7ca1ae

SHA1
43813829817a0ae6787d1349b85121f392de5fd6

SHA256
cc2f2f3c5b0354f5a2897e055c1188de1beb9cfdaea6a82c7adf8e510cd65cc0

SHA512
2301c8204bf2d85651cd77b0de2ae8eb714a96ce573f864b9e23f12ab471ce332d903f7f169732c0c1e79315a867bcaaa427cf06da8b1dfd695415b6e1481b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a44781e-e249-4c7d-bd52-90612e07edb1.vbs

Filesize
785B

MD5
66ba3106b8d4e8ad6ca73cf77215de72

SHA1
6545e5d114985301f43ce5b5718a327f519321fe

SHA256
684f0a514a0de3eedabb57cdd25b20432a65b0ad0cfe663f0d7df9b33c354040

SHA512
0cd9030854fb7456b22aa5bc47eeda059d5ab11777dcd79bc634fce5e5f3f85daf420cc41a2c8e681f6d1e468c0755f5cd6e61bc6755fed99a5583add3be1f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\842b00eb-805d-48c0-8dd8-66b312755e0a.vbs

Filesize
562B

MD5
bb529d1bfb59ea77720855f0df7422d6

SHA1
5dd342f9cf81ef26496e88a84fb0b827b6f39299

SHA256
12c533e4f4cb85073aaf14465337c3a5ca5667f2d7d5d06ac75bf0c1b431713f

SHA512
7b4273c1fdfb05e3ba4d39bc00d9aa300bdf5a8177958c378877d5d1a9c1af37167787f4d880f0fb3078fe2e3e86c288069fe3c1a822da9d612b0314c25f0fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9737c72c-ec16-4af9-8e87-aceddb1dda89.vbs

Filesize
786B

MD5
bda7bd6d88297989a976419c978099b9

SHA1
c41d1c006efd8bb83750b79de44bd39d670d49fe

SHA256
d7dbf394e98322dd8771d04ea28d3ad2cc985d7b550b0ea1c47809941061e57e

SHA512
ece61fb07a0c7b54475df39dc3ac2b99a73cb09c0c948dcbb78ac543af4e76bcfd347a3e4bf884537f40c49feccdad438193f34304b6a31d808043cbf217d4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ex4emg4l.kx0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa5371a5-9cd8-4018-905b-8ac60b9a212f.vbs

Filesize
786B

MD5
7448567661dde0f68af827280d743013

SHA1
d04ef51f4095d67013be14bad76ffdc98fd3e1dc

SHA256
a6f1e47e0ded7eb655087aa3ab070c12b3b2b232e37c1913efbac488accbb93a

SHA512
a4455e6258ed3f35397423db2293fd9f11d0b2019641fac8566eacceb053a026496d4d0e0b54314c9f99fb2689017142f5e61a813646c61f07779a8e9842446c

Download Submit
C:\Users\Admin\AppData\Local\Temp\abfa5745-13a7-4852-acea-bf4466d0dbc6.vbs

Filesize
786B

MD5
7d53b88f730df9e4cc100b89ffcd6daf

SHA1
83cb5c9065f8a6bd8a8468f767b5ee95a23724a0

SHA256
126f8b0652a7086cdea8133ddc5af2f1b4bf6000b4f6ab4ec73324d8ffeb9d29

SHA512
98e6bdffcccd32addc5a155f01fc67293f7d39866e2598ce3947aa17bb14316327ec77ef469f3953faf309bf20c1fb529148e94385a24ab947ad92fa5f9625c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cacd12c2-7fdb-4dd1-b35e-7709ea44d6af.vbs

Filesize
786B

MD5
369b6f7b05398f34d5e48c5bb6de7489

SHA1
fb2da97cc679e6bc6d195bd9fb084926f5d8dd8b

SHA256
9d793b9a21c75ab59b8e34c7a9ee6f269aae5012777fb497dd409094cb90cccb

SHA512
79694cfa96473e2c5ae84ea8fb6c440d96da08aeef47e3d6163095b95de68abd144e9dac6dc2a92ac56cfdd1e668e880f21695edcff3c1e81a4a5c91be07ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfe56630-ba55-4f0f-a223-6eb27e9f687d.vbs

Filesize
786B

MD5
ed5c5bdd393a9d601e65fc3cbcfc9e44

SHA1
a79eaced435db3a93101988ecc164a233a4a4dc3

SHA256
66bb8a7b23dbc54dead8e17d5d677c1a62f6db69c62539a2707da0864b70b6ae

SHA512
256bfe98f4580e6d01619b6f97a46584415fb67c4736d8d20a3ae31239a10ec842a21c7fcf7a41c3a78165177813eb205356e51b1edb0f111c19313521a2d073

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5ce89b7-6f29-4ad7-bb92-0c2264c3d955.vbs

Filesize
786B

MD5
acbe9f30a1117e4680eb0c9bcf30840b

SHA1
876d0e14278f05869bd057e60004a918fd31e3e1

SHA256
3c85d668b228f6e4d8aa86358f586c3e9f45cb57d37cfbf11c69c76025ab311a

SHA512
57a51132cdb3b1e67c7c63052ea152ca7031a327aebcec5c2f39b59e7b14eb4254deaf477b4e6bcf4f8ca37039c70444f612ad99c1b9159edb045eea18cf8f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat

Filesize
275B

MD5
97093d77d86718596891cd95bf3ab35f

SHA1
320b8f12b8bcb80540f6a8701f1e0839f51e0194

SHA256
4cc17d92f0e0c43ee1eaaf70d44d24093e4d995ee805621f6d7058bdba11c8f3

SHA512
20f798fe32333f38e27937cad72f9085225b3823714c6fbcac8520a70cc31dd4bf5aa9c1f6ba80528e6368eee4e79a2a3b4b404b42d3f5864b447a9e1882623a

Download Submit
C:\Users\Admin\Contacts\upfc.exe

Filesize
1.6MB

MD5
5c40a0842a538e01695fdfb1b5268840

SHA1
77815adb386d69b1615b318ba20434663a5416bf

SHA256
76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a

SHA512
30ef7616b385e77a350310f7ea4cf193e0bca1107366c51f1808ae8d9277904fce4dfec23e72fc7fffa022b5ad87d2aa7dfa35b140b93ab84d2d87d365237a8d

Download Submit
C:\Users\Admin\Contacts\upfc.exe

Filesize
1.6MB

MD5
b3b22d4c07bcbe330d921dafe378ecc9

SHA1
379ec9867d741daffec649ee671285e09ba52d22

SHA256
f23238b62c689ee0655239ba8b2a5e0d9437b907d9dfe2f1d232883a5cb7b829

SHA512
d1fad199ce4050b613327b1399dff72aa46837665d9d6122f1f5ab2eb1aa445e0cd07fd3f81b2b1ca8fdd3a1554d17aad45e9727cb8f9c183182046d44ddd402

Download Submit
C:\f170d29a37c9c9775251\sysmon.exe

Filesize
1.6MB

MD5
2db37793afafe995320076abcab3218f

SHA1
c6c2c47c7c5d69f7e77ba9017c6b557e4f8f61fc

SHA256
ef3e8c53d517c4de5406866b2be473a8e44738905ce093572a1ae3fef33474f2

SHA512
0e0f2d474af6734023a2bea78838e7ac9231a615397fc6ce66ea6d568c284ef6f20b11f1fd364c2c75efa7050103118b7cbfe4ad5b60c4ed60aeae0f2594eda0

Download Submit
memory/3436-354-0x0000000002850000-0x0000000002866000-memory.dmp

Filesize
88KB

Download
memory/3436-355-0x0000000002850000-0x0000000002866000-memory.dmp

Filesize
88KB

Download
memory/5096-16-0x000000001BC00000-0x000000001BC0A000-memory.dmp

Filesize
40KB

Download
memory/5096-15-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/5096-1-0x0000000000DD0000-0x0000000000F72000-memory.dmp

Filesize
1.6MB

Download
memory/5096-175-0x00007FFFA85C0000-0x00007FFFA9081000-memory.dmp

Filesize
10.8MB

Download
memory/5096-151-0x00007FFFA85C3000-0x00007FFFA85C5000-memory.dmp

Filesize
8KB

Download
memory/5096-17-0x000000001BC10000-0x000000001BC1C000-memory.dmp

Filesize
48KB

Download
memory/5096-12-0x0000000003220000-0x000000000322A000-memory.dmp

Filesize
40KB

Download
memory/5096-2-0x00007FFFA85C0000-0x00007FFFA9081000-memory.dmp

Filesize
10.8MB

Download
memory/5096-13-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/5096-14-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/5096-0-0x00007FFFA85C3000-0x00007FFFA85C5000-memory.dmp

Filesize
8KB

Download
memory/5096-233-0x00007FFFA85C0000-0x00007FFFA9081000-memory.dmp

Filesize
10.8MB

Download
memory/5096-11-0x0000000003210000-0x000000000321C000-memory.dmp

Filesize
48KB

Download
memory/5096-9-0x00000000031F0000-0x00000000031F8000-memory.dmp

Filesize
32KB

Download
memory/5096-10-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/5096-8-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/5096-7-0x0000000001920000-0x0000000001928000-memory.dmp

Filesize
32KB

Download
memory/5096-6-0x0000000001900000-0x0000000001916000-memory.dmp

Filesize
88KB

Download
memory/5096-5-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/5096-4-0x0000000003230000-0x0000000003280000-memory.dmp

Filesize
320KB

Download
memory/5096-3-0x0000000001730000-0x000000000174C000-memory.dmp

Filesize
112KB

Download
memory/5520-181-0x000002825F0B0000-0x000002825F0D2000-memory.dmp

Filesize
136KB

Download
memory/6044-333-0x00000000006D0000-0x0000000000872000-memory.dmp

Filesize
1.6MB

Download