dcrat | 7f1beb32d0565e8ebe9db45b1bc9a29b8fe6f2cfb7f17605bd2f6ec40f761b89

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Size

1.6MB
MD5

27b689b77f3516a11f09ecb8897ad4c2
SHA1

654cb72e6167f879a83930da230b28099359721f
SHA256

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772
SHA512

8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5948	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1308	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	1308	schtasks.exe	87

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5320-1-0x0000000000710000-0x00000000008B2000-memory.dmp	dcrat
behavioral2/files/0x0008000000024292-29.dat	dcrat
behavioral2/files/0x000c0000000240ee-51.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6028	powershell.exe
5856	powershell.exe
5840	powershell.exe
3900	powershell.exe
2656	powershell.exe
2908	powershell.exe
836	powershell.exe
2664	powershell.exe
1908	powershell.exe
5628	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 16 IoCs

pid	Process
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
6108	Registry.exe
1008	Registry.exe
916	Registry.exe
1932	Registry.exe
2968	Registry.exe
4604	Registry.exe
5828	Registry.exe
1692	Registry.exe
3916	Registry.exe
3116	Registry.exe
5236	Registry.exe
2840	Registry.exe
5352	Registry.exe
932	Registry.exe
208	Registry.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4676_2075199159\dwm.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX74B7.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX7535.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\edge_BITS_4676_2075199159\dwm.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\edge_BITS_4676_2075199159\6cb0b6c459d5d3	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\edge_BITS_4692_872651125\csrss.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\edge_BITS_4692_872651125\csrss.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\69ddcba757bf72	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\edge_BITS_4692_872651125\886983d96e3d3e	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\dllhost.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\debug\dllhost.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\debug\5940a34987c991	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\debug\RCX794F.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\debug\RCX795F.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3576	schtasks.exe
756	schtasks.exe
4984	schtasks.exe
4856	schtasks.exe
3912	schtasks.exe
4528	schtasks.exe
4880	schtasks.exe
4860	schtasks.exe
5000	schtasks.exe
4500	schtasks.exe
4684	schtasks.exe
1340	schtasks.exe
2284	schtasks.exe
4772	schtasks.exe
4848	schtasks.exe
4696	schtasks.exe
5752	schtasks.exe
4540	schtasks.exe
1696	schtasks.exe
1048	schtasks.exe
4944	schtasks.exe
5948	schtasks.exe
5436	schtasks.exe
4052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
836	powershell.exe
836	powershell.exe
5628	powershell.exe
5628	powershell.exe
6028	powershell.exe
6028	powershell.exe
2908	powershell.exe
2908	powershell.exe
1908	powershell.exe
1908	powershell.exe
5628	powershell.exe
6028	powershell.exe
836	powershell.exe
2908	powershell.exe
1908	powershell.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
5840	powershell.exe
5840	powershell.exe
2656	powershell.exe
2656	powershell.exe
5856	powershell.exe
5856	powershell.exe
3900	powershell.exe
3900	powershell.exe
2664	powershell.exe
2664	powershell.exe
2656	powershell.exe
2664	powershell.exe
5840	powershell.exe
3900	powershell.exe
5856	powershell.exe
6108	Registry.exe
1008	Registry.exe
916	Registry.exe
1932	Registry.exe
1932	Registry.exe
2968	Registry.exe
4604	Registry.exe
4604	Registry.exe
5828	Registry.exe
1692	Registry.exe
3916	Registry.exe
3116	Registry.exe
5236	Registry.exe
2840	Registry.exe
5352	Registry.exe
932	Registry.exe
208	Registry.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Token: SeDebugPrivilege	5840	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	6108	Registry.exe
Token: SeDebugPrivilege	1008	Registry.exe
Token: SeDebugPrivilege	916	Registry.exe
Token: SeDebugPrivilege	1932	Registry.exe
Token: SeDebugPrivilege	2968	Registry.exe
Token: SeDebugPrivilege	4604	Registry.exe
Token: SeDebugPrivilege	5828	Registry.exe
Token: SeDebugPrivilege	1692	Registry.exe
Token: SeDebugPrivilege	3916	Registry.exe
Token: SeDebugPrivilege	3116	Registry.exe
Token: SeDebugPrivilege	5236	Registry.exe
Token: SeDebugPrivilege	2840	Registry.exe
Token: SeDebugPrivilege	5352	Registry.exe
Token: SeDebugPrivilege	932	Registry.exe
Token: SeDebugPrivilege	208	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5320 wrote to memory of 1908	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	104
PID 5320 wrote to memory of 1908	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	104
PID 5320 wrote to memory of 836	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	105
PID 5320 wrote to memory of 836	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	105
PID 5320 wrote to memory of 6028	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	106
PID 5320 wrote to memory of 6028	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	106
PID 5320 wrote to memory of 5628	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	107
PID 5320 wrote to memory of 5628	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	107
PID 5320 wrote to memory of 2908	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	108
PID 5320 wrote to memory of 2908	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	108
PID 5320 wrote to memory of 4932	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	114
PID 5320 wrote to memory of 4932	5320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	114
PID 4932 wrote to memory of 6076	4932	cmd.exe	151
PID 4932 wrote to memory of 6076	4932	cmd.exe	151
PID 4932 wrote to memory of 4672	4932	cmd.exe	119
PID 4932 wrote to memory of 4672	4932	cmd.exe	119
PID 4672 wrote to memory of 2664	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	133
PID 4672 wrote to memory of 2664	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	133
PID 4672 wrote to memory of 2656	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	134
PID 4672 wrote to memory of 2656	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	134
PID 4672 wrote to memory of 3900	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	135
PID 4672 wrote to memory of 3900	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	135
PID 4672 wrote to memory of 5840	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	136
PID 4672 wrote to memory of 5840	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	136
PID 4672 wrote to memory of 5856	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	138
PID 4672 wrote to memory of 5856	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	138
PID 4672 wrote to memory of 6108	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	143
PID 4672 wrote to memory of 6108	4672	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	143
PID 6108 wrote to memory of 4520	6108	Registry.exe	144
PID 6108 wrote to memory of 4520	6108	Registry.exe	144
PID 6108 wrote to memory of 4356	6108	Registry.exe	145
PID 6108 wrote to memory of 4356	6108	Registry.exe	145
PID 4520 wrote to memory of 1008	4520	WScript.exe	146
PID 4520 wrote to memory of 1008	4520	WScript.exe	146
PID 1008 wrote to memory of 1144	1008	Registry.exe	147
PID 1008 wrote to memory of 1144	1008	Registry.exe	147
PID 1008 wrote to memory of 656	1008	Registry.exe	148
PID 1008 wrote to memory of 656	1008	Registry.exe	148
PID 1144 wrote to memory of 916	1144	WScript.exe	150
PID 1144 wrote to memory of 916	1144	WScript.exe	150
PID 916 wrote to memory of 6076	916	Registry.exe	151
PID 916 wrote to memory of 6076	916	Registry.exe	151
PID 916 wrote to memory of 1404	916	Registry.exe	152
PID 916 wrote to memory of 1404	916	Registry.exe	152
PID 6076 wrote to memory of 1932	6076	WScript.exe	161
PID 6076 wrote to memory of 1932	6076	WScript.exe	161
PID 1932 wrote to memory of 1184	1932	Registry.exe	162
PID 1932 wrote to memory of 1184	1932	Registry.exe	162
PID 1932 wrote to memory of 3700	1932	Registry.exe	163
PID 1932 wrote to memory of 3700	1932	Registry.exe	163
PID 1184 wrote to memory of 2968	1184	WScript.exe	164
PID 1184 wrote to memory of 2968	1184	WScript.exe	164
PID 2968 wrote to memory of 1756	2968	Registry.exe	165
PID 2968 wrote to memory of 1756	2968	Registry.exe	165
PID 2968 wrote to memory of 3196	2968	Registry.exe	166
PID 2968 wrote to memory of 3196	2968	Registry.exe	166
PID 1756 wrote to memory of 4604	1756	WScript.exe	167
PID 1756 wrote to memory of 4604	1756	WScript.exe	167
PID 4604 wrote to memory of 6136	4604	Registry.exe	168
PID 4604 wrote to memory of 6136	4604	Registry.exe	168
PID 4604 wrote to memory of 3020	4604	Registry.exe	169
PID 4604 wrote to memory of 3020	4604	Registry.exe	169
PID 6136 wrote to memory of 5828	6136	WScript.exe	170
PID 6136 wrote to memory of 5828	6136	WScript.exe	170

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
"C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkY2GXfgWJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:6076
- - C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
    "C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4676_2075199159\dwm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4692_872651125\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5856
  - - C:\Recovery\WindowsRE\Registry.exe
      "C:\Recovery\WindowsRE\Registry.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:6108
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fbf8f49-2b48-47e6-965d-37fe4a9b483c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\043b2dbe-0c1e-4496-88b9-f0469f51621e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\093aa5cc-053f-4b46-9d4d-0c4dd512d68c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99953b90-21e6-4380-970e-852703df3af2.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d742695-0cdf-4de6-8b18-b37e0472258c.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4a7b255-65d6-45bd-8d07-9b607b026487.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:6136
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d8c938d-5e5f-4228-ad02-38cb823d7246.vbs"
        17⤵
        
        PID:1748
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6232418f-545a-4ac1-a74f-13502e9a312a.vbs"
        19⤵
        
        PID:3136
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df10cfa6-5db9-4f82-820b-95c93b3f83e3.vbs"
        21⤵
        
        PID:5464
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b64806b-27ae-417f-bae6-cc11557dc610.vbs"
        23⤵
        
        PID:4136
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b2d804-294c-4143-a290-199a32e0599d.vbs"
        25⤵
        
        PID:5196
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922dcd8f-55c6-49f2-82fe-89dd5fa5cce0.vbs"
        27⤵
        
        PID:4616
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afb7b06a-fac3-406c-a9b4-ed8a1e8b59ed.vbs"
        29⤵
        
        PID:3220
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fecc6352-46de-4e05-93e9-1c2e7dce50f5.vbs"
        31⤵
        
        PID:1440
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29e3b51-39df-4df7-9ab5-05dc2ea4af16.vbs"
        33⤵
        
        PID:4196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ab4884b-e9ce-4863-9662-a7ce714e8822.vbs"
        33⤵
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44012ca5-43d7-4977-9300-c5f5140ce655.vbs"
        31⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186de9a1-2563-49cf-ba58-fdde3b718146.vbs"
        29⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be70e2fd-3c10-4964-aa08-8efc7d0df881.vbs"
        27⤵
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f84cfef-8031-4466-9cab-02ea4348f37a.vbs"
        25⤵
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdcd13b7-eaa4-4da1-ae54-45194a62441a.vbs"
        23⤵
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f1609a2-7806-45eb-8437-a242f9134c97.vbs"
        21⤵
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d39762-1e9c-4a32-a562-e04f60b6f11b.vbs"
        19⤵
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6d72889-5968-44b1-8c7e-7e20bd8f417b.vbs"
        17⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba6ac8e0-20b0-4330-a61c-5e75fa41eb75.vbs"
        15⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15a5a37-3b4b-4404-89d5-cfd6b7716c77.vbs"
        13⤵
        
        PID:3196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa79207-bacd-4254-8713-3112ea467c96.vbs"
        11⤵
        
        PID:3700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25e69510-1539-4228-9983-786ee516bbb0.vbs"
        9⤵
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff062c70-2931-408c-9ebe-29e9834eda85.vbs"
        7⤵
        
        PID:656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ce27aa-0c8b-478c-9911-a574c3b9cc24.vbs"
        5⤵
        
        PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4676_2075199159\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4676_2075199159\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4676_2075199159\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4692_872651125\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4692_872651125\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4692_872651125\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe

Filesize
1.6MB

MD5
157465ac28afc2ac05f19dba14736b34

SHA1
ff6e20ba36c4b8aa7c2d7e271d0816c1f7ebadb5

SHA256
94f83d3a8beb6a44d9f05bce6ee5f0f44660b3ca81d22d356f074807fb548a33

SHA512
87c6cf2a83b355058e3db9aea61a445c32f14f5909ffbf3498461e7cd725cc7e7748253a9b6575511fd3f0c59085db867b0b1f7c37a2548364f2535ec9a893ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
329e67b656834b36b529ff5a745a61aa

SHA1
85e9d41fd3f88f1d65ac85f7c3ddfa3e63d3936e

SHA256
b2a9f53f28e620dbec9fb8f44fc6431d619bc225124bffacd32dbc9cb94856c4

SHA512
ceeb20c6162e8a94745b59d685fce506df22b85870a0a472869e1949124cc70d3beeababd49444dee4e9a1e387947b66a17dca25870234514c20e7e5c28d4dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\02b2d804-294c-4143-a290-199a32e0599d.vbs

Filesize
710B

MD5
b35c5d17751369a2a26cbf6505c0d30f

SHA1
b75fe875326ee34ac3060851e8672ecd4078f82f

SHA256
d9af5ebb74d890a7d9e7e894847af09ab7323bc678ffd92d5da6a82341206199

SHA512
aef92e514c928362d5bff111963850ba9ba30c98fe5e9a3922eed244ee4bab2acc53e024167616606b39d5a104342372f990b44006b843187829010b6f526c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\043b2dbe-0c1e-4496-88b9-f0469f51621e.vbs

Filesize
710B

MD5
b7d883724ab28ac465bf2c74f0e22b51

SHA1
7d94ebff8bbc750e244a70f4659fc6bb2b1f3ecd

SHA256
17c4258a1a494f9e8309facf074dd57893732412c4dba0026d82177b0b39f849

SHA512
5936dd21f760e70031c398e0d66ef13ba01268382463bc44570ecdc6ec8e5706d528d4d3c4fa3a7703145acbac2be286292dcd6b420e880e5e8a7c46e74aea60

Download Submit
C:\Users\Admin\AppData\Local\Temp\093aa5cc-053f-4b46-9d4d-0c4dd512d68c.vbs

Filesize
709B

MD5
773dcd9a49e3234d18fa2e1825595556

SHA1
67bda76483bc1fdd3a0e03bbdc58e14411884339

SHA256
6b07e8c842f85a26f35ece53cd406eaf79331ea33cc16ea4265cfea3d2824f97

SHA512
e88bdc74e9817982792a92c263508b344a81aa35be31039339ef2c986398c3d04883fcae74402b58eb440702df7fb9ea72f7a54e8bca6d3e5af7f11145406876

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fbf8f49-2b48-47e6-965d-37fe4a9b483c.vbs

Filesize
710B

MD5
821f9dcbccd491a0ad3a81307a90ecfa

SHA1
fa6e43f4d7f0f569054bc2263512b642158c3f2c

SHA256
fb0acc00a8b157933a1e811c1b1181d89c07e0386c621945f0ce305bfe40acea

SHA512
243951467a3e5490479f9539bd4e28886fbccc1fab97353a4df2911fdc8b331631e6dd9f39e826ff58af705fb91f321dd8ff2411bebfbe4096aa957b858374ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b64806b-27ae-417f-bae6-cc11557dc610.vbs

Filesize
710B

MD5
b074840399733d71792085aefbc531f4

SHA1
e6f6712c923d0a5572b2d112bc62d8ab668a1331

SHA256
f2eaed2e52804dd6cac6bdbd4f1cc565448f18767ae0a2344ec285c5932073a0

SHA512
645c7d608d4229fe4a9c8c416abc22bb2d2fc691e439ee4ac1cb84edbe82654172acc02901230b053bb9301af662ad1f7a8742f1622446cc7455b0ec5ffad6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d742695-0cdf-4de6-8b18-b37e0472258c.vbs

Filesize
710B

MD5
fea403d92e8b756657ddc7713a38ed50

SHA1
98cdfd3d5d9b4fb3a09a81c5d925dec1a501a3fb

SHA256
e8fc5eed22231acb1eaae70952073c0d8882eb394b043667f04a38f21d0e8c85

SHA512
64caf18d3f427aa10d0d1b0cfaba1b988bf3fba7c2dab343f65fa9a1ebb105ec452620795de4da8dda15e17a7cbcd39da42044bf651319a5b27c80557b39a935

Download Submit
C:\Users\Admin\AppData\Local\Temp\6232418f-545a-4ac1-a74f-13502e9a312a.vbs

Filesize
710B

MD5
fee5311d6f0e503ef8b4fc74483d43f1

SHA1
8c1349c77133682f0b9db4067aecb709dc4b22fa

SHA256
2da1d229b11a31312021f230a6901babfd41443ac5f670ad72730910c3b47cf4

SHA512
742abce31bc82bf5b902386a51eb8e4fd6e09037d5168d06b0b8fb87c7aadd250c9c00fd36f17abdf486c24dcfec298425a03a2153581af6bd651776cf361581

Download Submit
C:\Users\Admin\AppData\Local\Temp\922dcd8f-55c6-49f2-82fe-89dd5fa5cce0.vbs

Filesize
710B

MD5
b99b9696a8657df2ada75da3eece18ff

SHA1
79459befc1b9443e1d14a2c632beffb9a60d09eb

SHA256
d78266f3cc3b6620a3e22356f2e61704cf278f6b3aaca5070482a924c8dacc7a

SHA512
0418488f4a6e413b10780412d21d21ef7af894d2fef3a8531ee48856ce290d820f340293133e2dc60ad0469a9d5944a99922644280b768743ebeb134aaf2d1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\99953b90-21e6-4380-970e-852703df3af2.vbs

Filesize
710B

MD5
3f1db686b28d67014a79fae858875e20

SHA1
aaf9e8c443ba1402980870f67a9c84e56d2327f1

SHA256
f1ccc455a213faf21ee8a5daf48d46b328e53c41e762cd9071599038f62be8ce

SHA512
318ce254a1adaf33ae242dfc36583ab8a9bf2f050c9d11ff2ca25da3844f28e97e6aa047caa7927bbe47c3b11b84f9332de3294fa08274d13678c4cd3c916b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d8c938d-5e5f-4228-ad02-38cb823d7246.vbs

Filesize
710B

MD5
499c7b97b4f1adfcc6152bb31f20166d

SHA1
ead123abe5a0c6ecb230fa6d75c7f4c6a4f968bb

SHA256
01a064ed16868d11c15417cc95367ac14aa812ed67f4f098c72f248b815449d8

SHA512
40c066750d9538b49b7e4726acaa3ace5474c63acc0e5013c22bbc7091001e22620b979f91d5376dc7e19c4f5b7a29a66ab0b93ec842f14649a098fb0e6592db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX708D.tmp

Filesize
1.6MB

MD5
27b689b77f3516a11f09ecb8897ad4c2

SHA1
654cb72e6167f879a83930da230b28099359721f

SHA256
5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772

SHA512
8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhawgxbw.pil.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4a7b255-65d6-45bd-8d07-9b607b026487.vbs

Filesize
710B

MD5
ef1fcce5e86a96e9b7a7b6a277ae7979

SHA1
78d16f1a3666810f5118cf666cc1f3fa51cff5d1

SHA256
fc1fac65f7a05af20ca0abdc616654b754f8005f28f26941e8ece6d0f0e8f43d

SHA512
6e75ac6439a2d1419ecbdc68b230c300310a5466429e31d2d61a3e0bba325b96707f6b6952416bc0e076e5adeae1c77d9a8471d5ae5053147903b1bc6d570e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6ce27aa-0c8b-478c-9911-a574c3b9cc24.vbs

Filesize
486B

MD5
87b196b244212b4879647e76adb195d0

SHA1
0787b69b711af8b96dc1d51dbee2c5fc8e1c7a97

SHA256
10308cfaea91f81cc50e81143eca15905f810bd2c14448ed7929ad6dcb03d4df

SHA512
4f873f5d6a744825cc0882029152d66cbb59d4b9ef794931d1c0d7b676cb07e5add44035daa8596a749ebd18b301d5019e84656075ddc389d3486e45714ba100

Download Submit
C:\Users\Admin\AppData\Local\Temp\df10cfa6-5db9-4f82-820b-95c93b3f83e3.vbs

Filesize
710B

MD5
69b144661fb3f21bbb8426b90fe60b91

SHA1
3f03f773e488b8a7f6c102075d31f014ea7f1189

SHA256
696f4a2aa19c5d3d478673b656577aeb0dd13be3f1536d262a6aa535d7dbc935

SHA512
7514b77176641d49493426d139538874b5def49fc657e7eafdfa47285a76cd43ddd81a8e87a41511868b676568954830259dc4f4946bc5b3208dfcac3a364cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkY2GXfgWJ.bat

Filesize
267B

MD5
24618415c7df513d8b0b833b39c17a59

SHA1
6b13062cfa3261f7c950db620d9bbf968c5807c0

SHA256
79ab1cd2e0d82e50d6b77e4f7a16dfa682e7347c7d1818e88984f2ac769bee59

SHA512
04e6eabe1b1f30ea03b605a146adff52d6a0740f07234da61e2f8279ed8908a638d53782b2268146c7d90a0c76dbbfe2343146a092de8436e4d84a6be4cfecfb

Download Submit
memory/836-99-0x0000021BB6440000-0x0000021BB6462000-memory.dmp

Filesize
136KB

Download
memory/5320-17-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/5320-120-0x00007FFE9BEC0000-0x00007FFE9C981000-memory.dmp

Filesize
10.8MB

Download
memory/5320-3-0x0000000002BD0000-0x0000000002BEC000-memory.dmp

Filesize
112KB

Download
memory/5320-6-0x000000001B3D0000-0x000000001B3E6000-memory.dmp

Filesize
88KB

Download
memory/5320-7-0x000000001B3F0000-0x000000001B3F8000-memory.dmp

Filesize
32KB

Download
memory/5320-11-0x000000001B480000-0x000000001B48C000-memory.dmp

Filesize
48KB

Download
memory/5320-14-0x000000001B4C0000-0x000000001B4C8000-memory.dmp

Filesize
32KB

Download
memory/5320-15-0x000000001B4D0000-0x000000001B4D8000-memory.dmp

Filesize
32KB

Download
memory/5320-0-0x00007FFE9BEC3000-0x00007FFE9BEC5000-memory.dmp

Filesize
8KB

Download
memory/5320-12-0x000000001B490000-0x000000001B49A000-memory.dmp

Filesize
40KB

Download
memory/5320-16-0x000000001B4E0000-0x000000001B4EA000-memory.dmp

Filesize
40KB

Download
memory/5320-13-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

Filesize
56KB

Download
memory/5320-10-0x000000001B470000-0x000000001B47C000-memory.dmp

Filesize
48KB

Download
memory/5320-9-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/5320-8-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/5320-4-0x000000001B410000-0x000000001B460000-memory.dmp

Filesize
320KB

Download
memory/5320-5-0x000000001B3C0000-0x000000001B3D0000-memory.dmp

Filesize
64KB

Download
memory/5320-2-0x00007FFE9BEC0000-0x00007FFE9C981000-memory.dmp

Filesize
10.8MB

Download
memory/5320-1-0x0000000000710000-0x00000000008B2000-memory.dmp

Filesize
1.6MB

Download