dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Size

1.6MB
MD5

1e635900f25bb2891a42cf6d65ca80eb
SHA1

0c6e3ec0b571ee3d1504a4769a77405ba9a54edb
SHA256

0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef
SHA512

c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	6004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	6004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	6004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	6004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	6004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	6004	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/3480-1-0x00000000005B0000-0x0000000000752000-memory.dmp	dcrat
behavioral30/files/0x00080000000242e0-28.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4796	powershell.exe
4484	powershell.exe
4616	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Executes dropped EXE 15 IoCs

pid	Process
3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
3164	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1212	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1112	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1132	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5560	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1876	schtasks.exe
3692	schtasks.exe
5388	schtasks.exe
1152	schtasks.exe
4740	schtasks.exe
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
4796	powershell.exe
4616	powershell.exe
4616	powershell.exe
4484	powershell.exe
4484	powershell.exe
4616	powershell.exe
4796	powershell.exe
4796	powershell.exe
4484	powershell.exe
3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
3164	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1212	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1112	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1132	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
1132	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5560	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5560	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
5888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	3164	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	1212	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	1112	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	1132	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	5560	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	5888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4616	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	96
PID 3480 wrote to memory of 4616	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	96
PID 3480 wrote to memory of 4484	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	97
PID 3480 wrote to memory of 4484	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	97
PID 3480 wrote to memory of 4796	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	98
PID 3480 wrote to memory of 4796	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	98
PID 3480 wrote to memory of 3568	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	103
PID 3480 wrote to memory of 3568	3480	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	103
PID 3568 wrote to memory of 2908	3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	104
PID 3568 wrote to memory of 2908	3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	104
PID 3568 wrote to memory of 2620	3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	105
PID 3568 wrote to memory of 2620	3568	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	105
PID 2908 wrote to memory of 3960	2908	WScript.exe	109
PID 2908 wrote to memory of 3960	2908	WScript.exe	109
PID 3960 wrote to memory of 376	3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	110
PID 3960 wrote to memory of 376	3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	110
PID 3960 wrote to memory of 5732	3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	111
PID 3960 wrote to memory of 5732	3960	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	111
PID 376 wrote to memory of 5108	376	WScript.exe	112
PID 376 wrote to memory of 5108	376	WScript.exe	112
PID 5108 wrote to memory of 212	5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	113
PID 5108 wrote to memory of 212	5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	113
PID 5108 wrote to memory of 2928	5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	114
PID 5108 wrote to memory of 2928	5108	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	114
PID 212 wrote to memory of 2680	212	WScript.exe	117
PID 212 wrote to memory of 2680	212	WScript.exe	117
PID 2680 wrote to memory of 4980	2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	119
PID 2680 wrote to memory of 4980	2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	119
PID 2680 wrote to memory of 1712	2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	120
PID 2680 wrote to memory of 1712	2680	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	120
PID 4980 wrote to memory of 2916	4980	WScript.exe	126
PID 4980 wrote to memory of 2916	4980	WScript.exe	126
PID 2916 wrote to memory of 536	2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	128
PID 2916 wrote to memory of 536	2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	128
PID 2916 wrote to memory of 5656	2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	129
PID 2916 wrote to memory of 5656	2916	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	129
PID 536 wrote to memory of 1120	536	WScript.exe	130
PID 536 wrote to memory of 1120	536	WScript.exe	130
PID 1120 wrote to memory of 2128	1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	131
PID 1120 wrote to memory of 2128	1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	131
PID 1120 wrote to memory of 1300	1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	132
PID 1120 wrote to memory of 1300	1120	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	132
PID 2128 wrote to memory of 1992	2128	WScript.exe	133
PID 2128 wrote to memory of 1992	2128	WScript.exe	133
PID 1992 wrote to memory of 5964	1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	134
PID 1992 wrote to memory of 5964	1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	134
PID 1992 wrote to memory of 4380	1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	135
PID 1992 wrote to memory of 4380	1992	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	135
PID 5964 wrote to memory of 1888	5964	WScript.exe	136
PID 5964 wrote to memory of 1888	5964	WScript.exe	136
PID 1888 wrote to memory of 3220	1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	137
PID 1888 wrote to memory of 3220	1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	137
PID 1888 wrote to memory of 2312	1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	138
PID 1888 wrote to memory of 2312	1888	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	138
PID 3220 wrote to memory of 6060	3220	WScript.exe	140
PID 3220 wrote to memory of 6060	3220	WScript.exe	140
PID 6060 wrote to memory of 4872	6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	141
PID 6060 wrote to memory of 4872	6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	141
PID 6060 wrote to memory of 2160	6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	142
PID 6060 wrote to memory of 2160	6060	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	142
PID 4872 wrote to memory of 3164	4872	WScript.exe	143
PID 4872 wrote to memory of 3164	4872	WScript.exe	143
PID 3164 wrote to memory of 4320	3164	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	144
PID 3164 wrote to memory of 4320	3164	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
"C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
  "C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9094f5a2-377e-4659-8290-06e04c7012fa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
      C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d17f03-f224-4c6f-8f9b-5901216edeee.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7401ca7c-344e-4ade-8797-f2b8f0f16ddf.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33da4e87-d39e-4176-93a4-e730931a6fb3.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50d6d356-5419-4b98-923f-c115c1500532.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e7051cc-ef22-47f1-9243-68e2c377042f.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc45b0f2-2589-412e-b363-dd96b5cb7ffb.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5964
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e126921-475e-461e-a908-4b395ea46b2b.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8692de39-1a87-439b-adc3-145f8b9cd0f5.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3be6752-e710-446c-981f-332518832075.vbs"
        21⤵
        
        PID:4320
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40827bfa-51a0-4a84-862f-df06d9b11b8f.vbs"
        23⤵
        
        PID:3600
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3aa4bf0-0f3d-44c4-89f0-f2d7c1edd057.vbs"
        25⤵
        
        PID:4572
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f617b7fc-3816-469f-817e-6cce0890a77a.vbs"
        27⤵
        
        PID:5828
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541079a8-760f-46c9-82ba-05f11c5fb961.vbs"
        29⤵
        
        PID:1660
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        
        C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7fe95ab-3bbf-49b3-b523-c283e860957c.vbs"
        31⤵
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8fcec9a-9caf-48be-b7ca-d7630fc07ac3.vbs"
        31⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7fc8db7-0f89-46ee-baf9-0f1e70ffca4c.vbs"
        29⤵
        
        PID:5436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\080842e4-a940-42d1-ac5c-a6bfa4b89a8d.vbs"
        27⤵
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48900d4f-dc9d-4748-8bdc-73c379211404.vbs"
        25⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a1e2fc1-ec41-4b4a-b7bc-a747001c362e.vbs"
        23⤵
        
        PID:6028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c6a8fe-1d8a-41a6-9e91-302a89f58baf.vbs"
        21⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ebe92d1-7771-4330-baef-cd7042d6a6d3.vbs"
        19⤵
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c5f657f-44b5-40f6-ac43-effd431654b6.vbs"
        17⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63955110-59d8-40dd-8f9c-96c31b86c046.vbs"
        15⤵
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6752901d-83ae-4ffe-bbb1-3ac36691a073.vbs"
        13⤵
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\462e6921-a71a-4e16-890b-6abb7d11271e.vbs"
        11⤵
        
        PID:5656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e50c7efe-bd78-4ff8-9820-30243930f6ff.vbs"
        9⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\725fd490-6f71-44e5-b594-b1711c2d8efe.vbs"
        7⤵
        
        PID:2928
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f26674f8-98f5-4c24-8907-fc8bd393ac4c.vbs"
        5⤵
        
        PID:5732
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e9ad29-87f8-4c1c-a345-18c10cf3b060.vbs"
    3⤵
    PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Music\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef0" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef0" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5e147edfabd7f129d7206d4ee8c4242

SHA1
a4a26e1793fe331b20a56e97c930f343a92be728

SHA256
9417644a8d49effdbc6a120b8d32093626b2ef9e8fe65d2c3163e3b3741a9629

SHA512
ec2530e8b7f2a9a916a94bf0d3a8c830bc258e2b73b5feacb99fbbeda40bf45d20931dded36fc24039a55e3c35cc150bc88e4837339f4db696508745c18f64c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\15e9ad29-87f8-4c1c-a345-18c10cf3b060.vbs

Filesize
542B

MD5
4bf651a89e08832bec63c6658cd71b26

SHA1
5a9085942bf28171ee2b1cd023d9912a3ea9aec7

SHA256
8ddd073043302f7385cac98686e4546ac572e836ef5279deff2b88dd9030529c

SHA512
acd092a378d1b1f494ecda886f3270f71cfbe5d17b5a765696c8424d84b1efa895afccbd24e929434ac0d9bfe73616ffd7f1e5c43c7d565d7242860481176e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e126921-475e-461e-a908-4b395ea46b2b.vbs

Filesize
766B

MD5
f75ab51227daee1ecda35e4791f70cdd

SHA1
7f26a44828b665b72883e21e9b70ccdfd406a6f4

SHA256
37463f44d149b7c8108ea58f4ae6133d40182df9b044824e8a76bd54a997ab30

SHA512
0d76da561e8e70e13256fc4abe59dcc79758d693d0e6a206ca496cecdff87a6708dda7fd99efc4a5c52b0d4afa8ceded64c4a073330d2b53470c118e11633dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\33da4e87-d39e-4176-93a4-e730931a6fb3.vbs

Filesize
766B

MD5
e2d503d75dd0559ce34ec5aea16d055c

SHA1
d5e2ba9d11b793a0befb4dd4337e84d7fdffa7c3

SHA256
a3e61a5c9f58a3e428089d1f77a3d6d46888d4e53655681bddf4be57474c58a8

SHA512
1e2dec40c65638119490731baa7c9befdabb557d90e5e560a4be5b6683dbab5f45dc10511a545654eaac22482c53a875408e45c90a1fa4c7616df5f8a18a57b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\38d17f03-f224-4c6f-8f9b-5901216edeee.vbs

Filesize
766B

MD5
141bbafdfe998cc0a1ccf5fbc0c5c7aa

SHA1
702ea97f63ce23d6b754450c4b993918a8d274dc

SHA256
f03e503a2399a44982b9092e4bc087fa5ea77ee4a99cf158d7991879734bc8b6

SHA512
dabe5dbec0e4774f4b80a3eac4e56bba96f5ec1d3fb63a8213a2f49211e3de1581848ce347f4c58145fb2253158cfbc48e56ce2a9e5c5322207cd4a3ca679d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\40827bfa-51a0-4a84-862f-df06d9b11b8f.vbs

Filesize
766B

MD5
4d578ac06423cc643411e7d25b13dcf9

SHA1
0da4c2419af533a9f938d80a39b63f9eef8999bd

SHA256
06137d3783bcfa02da6e43b732a3b0bf72649ff0e1cd5f8b1a40f53e3715fa0d

SHA512
810c429c479d5274249be437773ccd66541c3bfd0210f7608d032cd7a15dd87d6a186ae97616d026ef7d856827d1e39dfccf3b649ad39c7b52ba7795d683f811

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e7051cc-ef22-47f1-9243-68e2c377042f.vbs

Filesize
766B

MD5
a39e2d6d14654af5df0be20c6f8d6bb2

SHA1
1cd1e2f825d177ab18392d3562af9ebb1fb2c432

SHA256
8a219e1c3280321c95512f1546e6a52d1cab85c389d2431e5ad315d04f029d74

SHA512
5107dec3497064f9ddbb0dd10c015a84907fee4791de3eecf52ec59eb2bde8adbf68a3c676edbe831c75cb452aa14fa2b5d93345e6bab195a7807fc1d07f5947

Download Submit
C:\Users\Admin\AppData\Local\Temp\50d6d356-5419-4b98-923f-c115c1500532.vbs

Filesize
766B

MD5
e301c8c12856c7dd1754d16c805d4f32

SHA1
11e308df7c498dc283114de3f31a9cb710603430

SHA256
6826099f5aa12ce7344da044a4d27529f244484807761a02ba71bde987eb0a8a

SHA512
9137a43ff8f930c0db92fa9716fd3f2afde892e792fcef0ff5cebb1e7e9e916749017eebba9f2768ecbef18d7549d539cf0f87826b2dfc54fb2f438f52a72425

Download Submit
C:\Users\Admin\AppData\Local\Temp\541079a8-760f-46c9-82ba-05f11c5fb961.vbs

Filesize
766B

MD5
883a565a0c86e51c1d41bab6b2adcd8a

SHA1
5cc15fd3fda6346a08d8b316f82a27f6bb360cfd

SHA256
7d903901f9ddf84cde4898c5306818975bf39b0020576295c75f4e85106b0a2f

SHA512
075eb837953eb567bbaee3fbefa63f6bb6cf460e823d43095521efd361c507d7cd5030f4fcb445391b22d607f00c5603797a9bac05f401b569880c167c315925

Download Submit
C:\Users\Admin\AppData\Local\Temp\7401ca7c-344e-4ade-8797-f2b8f0f16ddf.vbs

Filesize
766B

MD5
a08405a4a7e36bd85efd861fe0800155

SHA1
071728fbb58bf783949d38bde1130d4441726cda

SHA256
9f7af1a2ebf2333362396abd3434a478aab09081a7ebf72500baa6e1b57780dc

SHA512
be7326c7e4cc8851717fc975c94b9dc2bea6d1d9d65bcb36d131f27b62f23848d6ade39ee97d659ccc526c7c7829d64c6d0f32dfe562c351241d3bcbb1030b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8692de39-1a87-439b-adc3-145f8b9cd0f5.vbs

Filesize
766B

MD5
9749c551307334849843a02c4c02a88c

SHA1
7bdc4399d55536b4c5d215b07a50502df5079aba

SHA256
d40b8994789fb537d326b76a2aa4c95e09824830e97ef6b6f752a79f255e8252

SHA512
dbacd34503bee19bf9fc64584ee022435fd30aa44b13a9b34c593b45cddc08033f8875c85eb0baf9c5af93f9fa38a9365293afd8053e69008635da06e86fb723

Download Submit
C:\Users\Admin\AppData\Local\Temp\9094f5a2-377e-4659-8290-06e04c7012fa.vbs

Filesize
766B

MD5
e2878e02083bf31b2d83ce3f96180f09

SHA1
ca669601eebacfb22f411522079edc4b7b5bdda2

SHA256
4a3666ca02094d522554dd2199d79fe0fab240934563f48da0339ed7814fcdb9

SHA512
4e141789e41c37d52030fa2aae39c9b575152ff4419e034c1b580882384192c0b523ee5293398381f794b051f5e5ced233efceed6e3dd0fd632e58ba65a1c2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mipl4vdm.kxn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3aa4bf0-0f3d-44c4-89f0-f2d7c1edd057.vbs

Filesize
766B

MD5
1f028ffb1a3e5ceabff878a9017d0c23

SHA1
835e79559e825a1ce231ce0849a97c904817654b

SHA256
a4002b9c445a989a32ff2feb63e6293ee47e7319eb3394fdfcad4385070a11c6

SHA512
17b95df4f47add9d0a404270c3774df2ffd58134d0c7ab5aa4a8f7a1094b8f84acbd977143344d7f6835a044e78a85065cc5736246c4d76872b2427aebe3fa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7fe95ab-3bbf-49b3-b523-c283e860957c.vbs

Filesize
766B

MD5
1afb4744e53f58803b94fb1aff122567

SHA1
35c98d9b39d508d9dac0b5467f1231349aa27063

SHA256
ae509146cea14284fcd57c53901efb5a94d737caf01722649205bb7292f85634

SHA512
0ab2f3e5fa6b0d7a09c22e943ca438e446056b5c399ab90f420207cc94a0e419b43e8dfce09c333a8f65c28f00018cb009af32213383432c41d55cd051d798ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc45b0f2-2589-412e-b363-dd96b5cb7ffb.vbs

Filesize
766B

MD5
9bfe7c176a5c15de47d4df491ba97793

SHA1
bf3f936b9a8031b3df3ebdb23fb9d249322103e1

SHA256
68468385fa07029719dbe06cef5ee788e36e2579e171837c3c88a4d938135c2b

SHA512
506920ce4a0302d29f65e317a1eadf3c02ac88e9723fa3bf3cd3601361572dd4113093e941154642b553f6e946600b90cb6f3fe9924346aa4f9f8b78b6ba587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3be6752-e710-446c-981f-332518832075.vbs

Filesize
766B

MD5
aaa3da206995dcd03bfbc7e934999949

SHA1
0387f17a43d499b82daf5faafabc3c5f26195777

SHA256
c390e45a42c9cf1d9f410333a34b3f24180862c1170f61b4ab50e4829f9d1520

SHA512
33c77d65abca2175daec03639e6d26cd919705303c91632408f49e5e61ed3904cf730f0bcc925c55dbc879fb136896855b7ea144a451904d5d356f4aee7857db

Download Submit
C:\Users\Admin\AppData\Local\Temp\f617b7fc-3816-469f-817e-6cce0890a77a.vbs

Filesize
766B

MD5
1b11c3c0baf43fcefc7fb38d5e213f0d

SHA1
8163a4442530f0b5ce71bb44434bb7d94ec071de

SHA256
8840f3467b68d1a25c7b0761ec7050c001e1458f1ffde36746b5ba2e531d8ebb

SHA512
8bbe38d9a26b0b77b3c2b817684e0a6ff15dfd43bb6b728b7a14c3746f842053dcbcbf4318740a2db7feaddacd9aee3ba765511cca60bbe6579aa094dce5d24e

Download Submit
C:\Users\Admin\Music\backgroundTaskHost.exe

Filesize
1.6MB

MD5
1e635900f25bb2891a42cf6d65ca80eb

SHA1
0c6e3ec0b571ee3d1504a4769a77405ba9a54edb

SHA256
0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef

SHA512
c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8

Download Submit
memory/3480-9-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/3480-11-0x000000001B450000-0x000000001B45C000-memory.dmp

Filesize
48KB

Download
memory/3480-146-0x00007FFDE8180000-0x00007FFDE8C41000-memory.dmp

Filesize
10.8MB

Download
memory/3480-14-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/3480-17-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/3480-15-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/3480-16-0x000000001BC40000-0x000000001BC4A000-memory.dmp

Filesize
40KB

Download
memory/3480-13-0x000000001BC10000-0x000000001BC1E000-memory.dmp

Filesize
56KB

Download
memory/3480-12-0x000000001BC00000-0x000000001BC0A000-memory.dmp

Filesize
40KB

Download
memory/3480-1-0x00000000005B0000-0x0000000000752000-memory.dmp

Filesize
1.6MB

Download
memory/3480-0-0x00007FFDE8183000-0x00007FFDE8185000-memory.dmp

Filesize
8KB

Download
memory/3480-10-0x000000001B3D0000-0x000000001B3DC000-memory.dmp

Filesize
48KB

Download
memory/3480-8-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/3480-7-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/3480-6-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/3480-4-0x000000001BA70000-0x000000001BAC0000-memory.dmp

Filesize
320KB

Download
memory/3480-5-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/3480-3-0x0000000002990000-0x00000000029AC000-memory.dmp

Filesize
112KB

Download
memory/3480-2-0x00007FFDE8180000-0x00007FFDE8C41000-memory.dmp

Filesize
10.8MB

Download
memory/4616-114-0x00000140E0EC0000-0x00000140E0EE2000-memory.dmp

Filesize
136KB

Download