dcrat | 2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
Size

1008KB
MD5

579e5cbaf7b4ad7e0e0f2f991d072a6b
SHA1

338cb0a75e4d1d84e5cb3dcf11faa9c764d48e00
SHA256

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f
SHA512

6a9cebaefe5ec375f9a932445fdc5b77945a46ac25c09fd8b3bc57c4b0b4d453eb5fffe70effdcabf0d46da63c73003aa109e342d648eef06c85d05e7b8dae92
SSDEEP

12288:7EC9yggsC9b/ySBhfEWO+QxckmsPnvKhxauZUYf9LT+wqR/Zk:7EnjsC9b/yofEWcHms6nZFlLT+Z/Zk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1720	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/1572-1-0x0000000000400000-0x0000000000504000-memory.dmp dcrat
C:\Users\Default\wininit.exe dcrat

resource	yara_rule
behavioral2/memory/1572-1-0x0000000000400000-0x0000000000504000-memory.dmp	dcrat
C:\Users\Default\wininit.exe	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exe2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

Executes dropped EXE 13 IoCs

Processes:

pid	process
3904	MusNotification.exe
5108	MusNotification.exe
1780	MusNotification.exe
2028	MusNotification.exe
4528	MusNotification.exe
4856	MusNotification.exe
3576	MusNotification.exe
856	MusNotification.exe
3628	MusNotification.exe
2500	MusNotification.exe
1004	MusNotification.exe
3228	MusNotification.exe
5012	MusNotification.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

Processes:

flow	ioc
55	pastebin.com
70	pastebin.com
76	pastebin.com
59	pastebin.com
67	pastebin.com
71	pastebin.com
54	pastebin.com
53	pastebin.com
60	pastebin.com
66	pastebin.com
69	pastebin.com
18	pastebin.com
19	pastebin.com
44	pastebin.com

Drops file in Program Files directory 13 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\msedge.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Windows NT\5940a34987c991	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530f	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ea1d8f6d871115	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\61a52ddc9dd915	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\7-Zip\Lang\61a52ddc9dd915	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\aa97147c4c782d	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\7-Zip\Lang\msedge.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Windows NT\dllhost.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

Drops file in Windows directory 4 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

description	ioc	process
File created	C:\Windows\LiveKernelReports\smss.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Windows\LiveKernelReports\69ddcba757bf72	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Windows\PolicyDefinitions\es-ES\fontdrvhost.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Windows\PolicyDefinitions\es-ES\5b884080fd4f94	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

MusNotification.exeMusNotification.exeMusNotification.exe2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	MusNotification.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4176	schtasks.exe
4488	schtasks.exe
456	schtasks.exe
4468	schtasks.exe
2836	schtasks.exe
1468	schtasks.exe
3592	schtasks.exe
1668	schtasks.exe
4944	schtasks.exe
1808	schtasks.exe
2088	schtasks.exe
3816	schtasks.exe
3920	schtasks.exe
212	schtasks.exe
3220	schtasks.exe
2124	schtasks.exe
2224	schtasks.exe
2324	schtasks.exe
2344	schtasks.exe
936	schtasks.exe
3128	schtasks.exe
5052	schtasks.exe
1264	schtasks.exe
4620	schtasks.exe
3340	schtasks.exe
4792	schtasks.exe
2128	schtasks.exe
3160	schtasks.exe
3584	schtasks.exe
4252	schtasks.exe
3016	schtasks.exe
5096	schtasks.exe
996	schtasks.exe
4364	schtasks.exe
948	schtasks.exe
856	schtasks.exe
2920	schtasks.exe
5044	schtasks.exe
2820	schtasks.exe
3572	schtasks.exe
628	schtasks.exe
1096	schtasks.exe
4928	schtasks.exe
2796	schtasks.exe
4052	schtasks.exe
1336	schtasks.exe
1404	schtasks.exe
4428	schtasks.exe
3392	schtasks.exe
4984	schtasks.exe
888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exeMusNotification.exe

pid	process
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
3904	MusNotification.exe
5108	MusNotification.exe
5108	MusNotification.exe
1780	MusNotification.exe
1780	MusNotification.exe
2028	MusNotification.exe
2028	MusNotification.exe
4528	MusNotification.exe
4528	MusNotification.exe
4856	MusNotification.exe
4856	MusNotification.exe
3576	MusNotification.exe
3576	MusNotification.exe
856	MusNotification.exe
856	MusNotification.exe
3628	MusNotification.exe
2500	MusNotification.exe
1004	MusNotification.exe
3228	MusNotification.exe
5012	MusNotification.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
Token: SeDebugPrivilege	3904	MusNotification.exe
Token: SeDebugPrivilege	5108	MusNotification.exe
Token: SeDebugPrivilege	1780	MusNotification.exe
Token: SeDebugPrivilege	2028	MusNotification.exe
Token: SeDebugPrivilege	4528	MusNotification.exe
Token: SeDebugPrivilege	4856	MusNotification.exe
Token: SeDebugPrivilege	3576	MusNotification.exe
Token: SeDebugPrivilege	856	MusNotification.exe
Token: SeDebugPrivilege	3628	MusNotification.exe
Token: SeDebugPrivilege	2500	MusNotification.exe
Token: SeDebugPrivilege	1004	MusNotification.exe
Token: SeDebugPrivilege	3228	MusNotification.exe
Token: SeDebugPrivilege	5012	MusNotification.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exeMusNotification.execmd.exe

description	pid	process	target process
PID 1572 wrote to memory of 1268	1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe	cmd.exe
PID 1572 wrote to memory of 1268	1572	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe	cmd.exe
PID 1268 wrote to memory of 2376	1268	cmd.exe	w32tm.exe
PID 1268 wrote to memory of 2376	1268	cmd.exe	w32tm.exe
PID 1268 wrote to memory of 3904	1268	cmd.exe	MusNotification.exe
PID 1268 wrote to memory of 3904	1268	cmd.exe	MusNotification.exe
PID 3904 wrote to memory of 4644	3904	MusNotification.exe	cmd.exe
PID 3904 wrote to memory of 4644	3904	MusNotification.exe	cmd.exe
PID 4644 wrote to memory of 4780	4644	cmd.exe	w32tm.exe
PID 4644 wrote to memory of 4780	4644	cmd.exe	w32tm.exe
PID 4644 wrote to memory of 5108	4644	cmd.exe	MusNotification.exe
PID 4644 wrote to memory of 5108	4644	cmd.exe	MusNotification.exe
PID 5108 wrote to memory of 2224	5108	MusNotification.exe	cmd.exe
PID 5108 wrote to memory of 2224	5108	MusNotification.exe	cmd.exe
PID 2224 wrote to memory of 4856	2224	cmd.exe	MusNotification.exe
PID 2224 wrote to memory of 4856	2224	cmd.exe	MusNotification.exe
PID 2224 wrote to memory of 1780	2224	cmd.exe	MusNotification.exe
PID 2224 wrote to memory of 1780	2224	cmd.exe	MusNotification.exe
PID 1780 wrote to memory of 5028	1780	MusNotification.exe	cmd.exe
PID 1780 wrote to memory of 5028	1780	MusNotification.exe	cmd.exe
PID 5028 wrote to memory of 2384	5028	cmd.exe	w32tm.exe
PID 5028 wrote to memory of 2384	5028	cmd.exe	w32tm.exe
PID 5028 wrote to memory of 2028	5028	cmd.exe	MusNotification.exe
PID 5028 wrote to memory of 2028	5028	cmd.exe	MusNotification.exe
PID 2028 wrote to memory of 4736	2028	MusNotification.exe	cmd.exe
PID 2028 wrote to memory of 4736	2028	MusNotification.exe	cmd.exe
PID 4736 wrote to memory of 4972	4736	cmd.exe	w32tm.exe
PID 4736 wrote to memory of 4972	4736	cmd.exe	w32tm.exe
PID 4736 wrote to memory of 4528	4736	cmd.exe	MusNotification.exe
PID 4736 wrote to memory of 4528	4736	cmd.exe	MusNotification.exe
PID 4528 wrote to memory of 4172	4528	MusNotification.exe	cmd.exe
PID 4528 wrote to memory of 4172	4528	MusNotification.exe	cmd.exe
PID 4172 wrote to memory of 3652	4172	cmd.exe	w32tm.exe
PID 4172 wrote to memory of 3652	4172	cmd.exe	w32tm.exe
PID 4172 wrote to memory of 4856	4172	cmd.exe	MusNotification.exe
PID 4172 wrote to memory of 4856	4172	cmd.exe	MusNotification.exe
PID 4856 wrote to memory of 3352	4856	MusNotification.exe	cmd.exe
PID 4856 wrote to memory of 3352	4856	MusNotification.exe	cmd.exe
PID 3352 wrote to memory of 3944	3352	cmd.exe	w32tm.exe
PID 3352 wrote to memory of 3944	3352	cmd.exe	w32tm.exe
PID 3352 wrote to memory of 3576	3352	cmd.exe	MusNotification.exe
PID 3352 wrote to memory of 3576	3352	cmd.exe	MusNotification.exe
PID 3576 wrote to memory of 2876	3576	MusNotification.exe	cmd.exe
PID 3576 wrote to memory of 2876	3576	MusNotification.exe	cmd.exe
PID 2876 wrote to memory of 4988	2876	cmd.exe	w32tm.exe
PID 2876 wrote to memory of 4988	2876	cmd.exe	w32tm.exe
PID 2876 wrote to memory of 856	2876	cmd.exe	MusNotification.exe
PID 2876 wrote to memory of 856	2876	cmd.exe	MusNotification.exe
PID 856 wrote to memory of 4536	856	MusNotification.exe	cmd.exe
PID 856 wrote to memory of 4536	856	MusNotification.exe	cmd.exe
PID 4536 wrote to memory of 440	4536	cmd.exe	w32tm.exe
PID 4536 wrote to memory of 440	4536	cmd.exe	w32tm.exe
PID 4536 wrote to memory of 3628	4536	cmd.exe	MusNotification.exe
PID 4536 wrote to memory of 3628	4536	cmd.exe	MusNotification.exe
PID 3628 wrote to memory of 644	3628	MusNotification.exe	cmd.exe
PID 3628 wrote to memory of 644	3628	MusNotification.exe	cmd.exe
PID 644 wrote to memory of 4052	644	cmd.exe	w32tm.exe
PID 644 wrote to memory of 4052	644	cmd.exe	w32tm.exe
PID 644 wrote to memory of 2500	644	cmd.exe	MusNotification.exe
PID 644 wrote to memory of 2500	644	cmd.exe	MusNotification.exe
PID 2500 wrote to memory of 2124	2500	MusNotification.exe	cmd.exe
PID 2500 wrote to memory of 2124	2500	MusNotification.exe	cmd.exe
PID 2124 wrote to memory of 3028	2124	cmd.exe	w32tm.exe
PID 2124 wrote to memory of 3028	2124	cmd.exe	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
"C:\Users\Admin\AppData\Local\Temp\2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\06G1VnWFbG.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2376

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:4780

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4856

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:2384

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:4972

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:3652

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:3944

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:4988

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
18⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:440

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
20⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:4052

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
22⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:3028

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
24⤵
PID:684

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4256

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
26⤵
PID:2820

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:5100

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe"
27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
28⤵
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3628 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MusNotification.exe.log
Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\06G1VnWFbG.bat
Filesize
252B

MD5
06d4d408fe84168050c2e0a05db7ce0b

SHA1
3f07bd542424c6fe1d37c26dacd266bcf906913c

SHA256
bb0ad755dbd78ea47089217f2992581b845da87c214fccf2f4eb55e284bf9feb

SHA512
56d86fdfd819730636e52fd624d190192f1bd393a24cf139eb666974411155c2b12902fa3e0a0bda53f690dec8b2d0007024818b2e95bf6dfb84688bbd239d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat
Filesize
252B

MD5
d6390e6ff8ab7eabb545370d07ca047b

SHA1
d945280926076493ef83bf331c9c810087c89f4f

SHA256
534a6e5fded41cf720f2123d97c2fc414bd485348f9a3a6eb3f4e82a85a3c725

SHA512
84c29391734a03cfcac16f3d8e5e5436d043d1e6bf73f61133fa35dd2fe28c48d5a353937768ed2c38dcd583bbe62bc973070730c862263cc209656ebd3e9c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat
Filesize
252B

MD5
4adbc341ca9ff190955aabd6fc9a2e6a

SHA1
753e3d20ba55a85808dfdf04283da37efa7f76c4

SHA256
83a81b5eb1c5311b035344fbb3701645e11d460662f34c1828f744f8655e9687

SHA512
eaad26902b8c42dc46d44ad240e4d12e2b956bf95973b69f8a86e04c848af7a6138fdf64c00a5812068e1b212a9a293d5394e809e73d507871adec2a231dd21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat
Filesize
252B

MD5
cd087fc2cba7c04adcafab23cf2ac081

SHA1
3a1ca7bbc1d63776bc8f48eb32bac0cba0ffded8

SHA256
873bc43afc635ac6a9fb5a0ff04ce027283ac0fd1ed5bbdc252fe218cfcf85b8

SHA512
a7e3d0af5480335a5db82c5181c7918102766d1b165476e2f40ef6c73977a3b651433d8a647ca68df0f2af5441112c3c75f35636b2704fe1c5252a9549f38a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat
Filesize
252B

MD5
48d34bfa3c36b6194a113ffcf0c0041e

SHA1
bcd2478194a025d55b9f8dd5446f743a4d891478

SHA256
4e70e6cd48caa834fc2870f0f0dbe7a8beffc4ff9c0fec8578f9051a9e0091bd

SHA512
a903ea7f28efc24b407d02add26a6758e0227246efa28bd0ecaff742453ff24bb12a6d02b05ade490a1c579ecab282dc7b1d6c9123f1cd784eb02f49a6a46094

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat
Filesize
252B

MD5
516c831e5dfae88f23196de1a9f8a5b0

SHA1
3ee542abb335e4f15459ef03063e292335457271

SHA256
3f37b9fb4a492e3b1e2d2a1154c55a7eba4131059ed84979bb8cddfef2b61f6f

SHA512
9054c0662eb4321ed5c6cb865643462302b34143b408195abdec159040fb5327ec6d983cfe1a2b2ba3f1b53c9eba9a53ed6f8b9f55d4bf6cbfea0d0a171b2c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat
Filesize
252B

MD5
fb99391f68cc51960fc77a9bdff22a12

SHA1
0fd7269ad621a81138b69597481135684a72246e

SHA256
fa0ca0a0ad05843cd085300e1ebdbfdc9ac73e6abc7c875f0dc460ce30cca181

SHA512
e046a5fb257d9074ab83635d7ec03f45d9e9fdc8addb41dbc0424734cdffca570f60f8922877c47682adf6f8ab7733cc949590487f804e0a66db522d3248e28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat
Filesize
252B

MD5
3aa2b75722138080eb1b3243c77846d9

SHA1
2b65f2a13e833fe3dd692eecd5b09447810048f4

SHA256
d12240a1d5050147587e3871a5b69774b376e8602888a4314a6f394c7ef1a299

SHA512
280b376feb599f6ff7ed473dbddb34a3fedbf63a39a069871efcb69c3ea0a2c1e7f1d7c33b46c32dc4e3c1a5a610beebcf95e31ad9bbe00a624ca4ee87993171

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat
Filesize
252B

MD5
9256a102a669f04d52078116ad743a98

SHA1
45865313bb427024081af00c0ddaea7b3bff6b2e

SHA256
758bbc8bf8efce02e14614797395c8d8cc4973f032e70a76b0c79a300ef2646f

SHA512
52d83a77bb15b7677b85b5c161047cac2383f7bb16b1aa9b92237e8f299610a740680b29be837159f4da4264225cba6284b599606896c163e14ca0ce4b98b327

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat
Filesize
252B

MD5
e2e639444633dd921cc0c077fd2a3d2a

SHA1
ca1e8ee3a0c9dfab2d5adab0f8819fbb0044eed5

SHA256
49c6c10556f24960b4634e7b83940b3fc162fce0818074c7c6bb73df3bfe2522

SHA512
06aa4e9e08bec16473cef3a9ef93754a24ccfacde44bf898ef46e9bda531daac9618730547c34cbee50f7acc51d2ec4221af87a11f24d9e1cdfad8ac60101222

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat
Filesize
252B

MD5
ad0516226abaffaa598301b350826efd

SHA1
d849ac74d569225459bd69eb8aab935a9b15411c

SHA256
62330a985cda1c1a3d84619f5760e5e01777c8930acc2b878374d22805dead48

SHA512
f9e13247e26725d5ebc6a68bf98d889056903c10c9c2e84145875b34af47913e3a11b788f9f48b6d2af5b1990fdd5071358e38fd3172a77deeb53354018ac645

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat
Filesize
252B

MD5
16efe7a073d6cd50c8607d816bf4c506

SHA1
5a176c1b13f9a081a78916453f395e7806518e8b

SHA256
0e8ad179d61361e7ba2a92f4330a2a48a24c776b3efa3d952998b1e5532086c5

SHA512
3547cd67f813651285cba6f2bac2ca3643c135331cfe5aeffb4be82886a4753fee8965dc8cf6c38bbfcbd3e9d8c0d61d02fe69bce1810575262be55af184aa67

Download Submit
C:\Users\Default\wininit.exe
Filesize
1008KB

MD5
579e5cbaf7b4ad7e0e0f2f991d072a6b

SHA1
338cb0a75e4d1d84e5cb3dcf11faa9c764d48e00

SHA256
2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f

SHA512
6a9cebaefe5ec375f9a932445fdc5b77945a46ac25c09fd8b3bc57c4b0b4d453eb5fffe70effdcabf0d46da63c73003aa109e342d648eef06c85d05e7b8dae92

Download Submit
memory/1572-2-0x00007FF984460000-0x00007FF984F21000-memory.dmp

Filesize
10.8MB

Download
memory/1572-0-0x00007FF984463000-0x00007FF984465000-memory.dmp

Filesize
8KB

Download
memory/1572-1-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1572-46-0x00007FF984460000-0x00007FF984F21000-memory.dmp

Filesize
10.8MB

Download
memory/1572-4-0x000000001B1B0000-0x000000001B200000-memory.dmp

Filesize
320KB

Download
memory/1572-3-0x0000000002630000-0x000000000264C000-memory.dmp

Filesize
112KB

Download
memory/1572-5-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/1780-68-0x000000001C730000-0x000000001C786000-memory.dmp

Filesize
344KB

Download