dcrat | 374eba5495779dc24974bb881e0c3f298861a91d88d710da4f684bf8a2a01fe6

Analysis

max time kernel
46s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-06-2023 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d05206520518a47f710e7197bbc336.exe
Size

1.5MB
MD5

a1d05206520518a47f710e7197bbc336
SHA1

270ac60027ac01b78139bec3a6fe54f702c4fe96
SHA256

374eba5495779dc24974bb881e0c3f298861a91d88d710da4f684bf8a2a01fe6
SHA512

6164910de359dd7f9ad12e75c1ea170ff5fb313598da249c12888a100cd01e3888bbea25240a7924ea825147a7979b0b941e9d8916a322dbb3846c077959921a
SSDEEP

24576:YW3QhwWwORHtx07i/85O8q9Fx7hFsf1gj7xN9sKrogXMAGqo3K6L29ufIOT0Gj:YW3QNRH/07imOljZhFsf1s9ZkgXZkKxC

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1436	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe	dcrat
\ProgramData\componentsessioncrt.exe	dcrat
C:\ProgramData\componentsessioncrt.exe	dcrat
\ProgramData\componentsessioncrt.exe	dcrat
C:\ProgramData\componentsessioncrt.exe	dcrat
behavioral1/memory/1112-78-0x0000000000F20000-0x000000000101E000-memory.dmp	dcrat
behavioral1/memory/1112-81-0x000000001AF00000-0x000000001AF80000-memory.dmp	dcrat
C:\Users\Public\Desktop\taskhost.exe	dcrat
C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe	dcrat
behavioral1/memory/2604-127-0x0000000000CE0000-0x0000000000DDE000-memory.dmp	dcrat
C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

GoogleChromeUpdate.execomponentsessioncrt.exewinlogon.exe

pid process

1940 GoogleChromeUpdate.exe
1112 componentsessioncrt.exe
2604 winlogon.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1740 cmd.exe
1740 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1940	GoogleChromeUpdate.exe
1112	componentsessioncrt.exe
2604	winlogon.exe

pid	process
1740	cmd.exe
1740	cmd.exe

Drops file in Program Files directory 12 IoCs

Processes:

componentsessioncrt.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\fr-FR\7a0fd90576e088	componentsessioncrt.exe
File created	C:\Program Files\Windows Defender\es-ES\dwm.exe	componentsessioncrt.exe
File created	C:\Program Files\Windows Defender\es-ES\6cb0b6c459d5d3	componentsessioncrt.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe	componentsessioncrt.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\088424020bedd6	componentsessioncrt.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe	componentsessioncrt.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\0a1fd5f707cd16	componentsessioncrt.exe
File created	C:\Program Files\Windows Defender\fr-FR\explorer.exe	componentsessioncrt.exe
File created	C:\Program Files\Windows NT\WmiPrvSE.exe	componentsessioncrt.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\explorer.exe	componentsessioncrt.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\7a0fd90576e088	componentsessioncrt.exe
File created	C:\Program Files\Windows NT\24dbde2999530e	componentsessioncrt.exe

Drops file in Windows directory 8 IoCs

Processes:

componentsessioncrt.exe

description	ioc	process
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	componentsessioncrt.exe
File created	C:\Windows\LiveKernelReports\spoolsv.exe	componentsessioncrt.exe
File created	C:\Windows\LiveKernelReports\f3b6ecef712a24	componentsessioncrt.exe
File created	C:\Windows\PLA\Rules\en-US\taskhost.exe	componentsessioncrt.exe
File created	C:\Windows\PLA\Rules\en-US\b75386f1303e64	componentsessioncrt.exe
File created	C:\Windows\ModemLogs\componentsessioncrt.exe	componentsessioncrt.exe
File created	C:\Windows\ModemLogs\aed35854cd9883	componentsessioncrt.exe
File created	C:\Windows\Offline Web Pages\csrss.exe	componentsessioncrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1516	schtasks.exe
1884	schtasks.exe
364	schtasks.exe
1156	schtasks.exe
2260	schtasks.exe
1212	schtasks.exe
1776	schtasks.exe
2140	schtasks.exe
892	schtasks.exe
920	schtasks.exe
2184	schtasks.exe
2328	schtasks.exe
1668	schtasks.exe
1588	schtasks.exe
568	schtasks.exe
1548	schtasks.exe
776	schtasks.exe
956	schtasks.exe
1004	schtasks.exe
2164	schtasks.exe
696	schtasks.exe
524	schtasks.exe
1128	schtasks.exe
2080	schtasks.exe
1072	schtasks.exe
2108	schtasks.exe
756	schtasks.exe
2012	schtasks.exe
1528	schtasks.exe
2240	schtasks.exe
112	schtasks.exe
1108	schtasks.exe
2064	schtasks.exe
2012	schtasks.exe
1660	schtasks.exe
596	schtasks.exe
1828	schtasks.exe
2220	schtasks.exe
1236	schtasks.exe
812	schtasks.exe
1000	schtasks.exe
536	schtasks.exe
1652	schtasks.exe
2312	schtasks.exe
516	schtasks.exe
1628	schtasks.exe
1492	schtasks.exe
2032	schtasks.exe
1712	schtasks.exe
2292	schtasks.exe
1204	schtasks.exe
1176	schtasks.exe
1808	schtasks.exe
1712	schtasks.exe
776	schtasks.exe
1556	schtasks.exe
760	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	winlogon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	winlogon.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

componentsessioncrt.exewinlogon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1112	componentsessioncrt.exe
2604	winlogon.exe
2476	powershell.exe
2376	powershell.exe
2360	powershell.exe
2448	powershell.exe
2392	powershell.exe
2456	powershell.exe
2400	powershell.exe
2368	powershell.exe
2492	powershell.exe
2432	powershell.exe
2416	powershell.exe
2352	powershell.exe
2604	winlogon.exe
2604	winlogon.exe
2604	winlogon.exe
2604	winlogon.exe
2604	winlogon.exe
2604	winlogon.exe
2604	winlogon.exe
2604	winlogon.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1112	componentsessioncrt.exe
Token: SeDebugPrivilege	2604	winlogon.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

a1d05206520518a47f710e7197bbc336.exeGoogleChromeUpdate.exeWScript.execmd.execomponentsessioncrt.exe

description	pid	process	target process
PID 1932 wrote to memory of 1596	1932	a1d05206520518a47f710e7197bbc336.exe	cmd.exe
PID 1932 wrote to memory of 1596	1932	a1d05206520518a47f710e7197bbc336.exe	cmd.exe
PID 1932 wrote to memory of 1596	1932	a1d05206520518a47f710e7197bbc336.exe	cmd.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1932 wrote to memory of 1940	1932	a1d05206520518a47f710e7197bbc336.exe	GoogleChromeUpdate.exe
PID 1940 wrote to memory of 844	1940	GoogleChromeUpdate.exe	WScript.exe
PID 1940 wrote to memory of 844	1940	GoogleChromeUpdate.exe	WScript.exe
PID 1940 wrote to memory of 844	1940	GoogleChromeUpdate.exe	WScript.exe
PID 1940 wrote to memory of 844	1940	GoogleChromeUpdate.exe	WScript.exe
PID 844 wrote to memory of 1740	844	WScript.exe	cmd.exe
PID 844 wrote to memory of 1740	844	WScript.exe	cmd.exe
PID 844 wrote to memory of 1740	844	WScript.exe	cmd.exe
PID 844 wrote to memory of 1740	844	WScript.exe	cmd.exe
PID 1740 wrote to memory of 1112	1740	cmd.exe	componentsessioncrt.exe
PID 1740 wrote to memory of 1112	1740	cmd.exe	componentsessioncrt.exe
PID 1740 wrote to memory of 1112	1740	cmd.exe	componentsessioncrt.exe
PID 1740 wrote to memory of 1112	1740	cmd.exe	componentsessioncrt.exe
PID 1112 wrote to memory of 2352	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2352	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2352	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2360	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2360	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2360	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2368	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2368	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2368	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2376	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2376	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2376	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2392	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2392	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2392	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2400	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2400	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2400	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2416	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2416	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2416	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2432	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2432	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2432	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2448	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2448	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2448	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2456	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2456	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2456	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2476	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2476	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2476	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2492	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2492	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2492	1112	componentsessioncrt.exe	powershell.exe
PID 1112 wrote to memory of 2604	1112	componentsessioncrt.exe	winlogon.exe
PID 1112 wrote to memory of 2604	1112	componentsessioncrt.exe	winlogon.exe
PID 1112 wrote to memory of 2604	1112	componentsessioncrt.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a1d05206520518a47f710e7197bbc336.exe
"C:\Users\Admin\AppData\Local\Temp\a1d05206520518a47f710e7197bbc336.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate" "a1d05206520518a47f710e7197bbc336.exe""
2⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\01JDjn9an.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\vyRlj1SkqrfRYAG7.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\ProgramData\componentsessioncrt.exe
"C:\ProgramData\componentsessioncrt.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe
"C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Rules\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Rules\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsessioncrtc" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\componentsessioncrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsessioncrt" /sc ONLOGON /tr "'C:\Windows\ModemLogs\componentsessioncrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsessioncrtc" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\componentsessioncrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\01JDjn9an.vbe
Filesize
205B

MD5
76db147c9e20a89ea972166168a4b9ba

SHA1
475c26be4c2e8bc8ef0fd4bcc469e92e64f332ae

SHA256
5699049e3e55284b66a98cdbce5b4c36c3ce7396bdf60632c544ce390bad6dd0

SHA512
e32b9bfa54d9c71d1b17ea71ee5846a9f2220b77ad23045f5662c52324037e99cab253676d8d8e75bea44e2cf824b1ea3cc92ee84cced7866292eb73d51f77eb

Download Submit
C:\ProgramData\componentsessioncrt.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
C:\ProgramData\componentsessioncrt.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
C:\ProgramData\vyRlj1SkqrfRYAG7.bat
Filesize
40B

MD5
89947106df373d55eec5d73e11eac3e1

SHA1
788822f62913626780934e0bae6239b2f945dc61

SHA256
b30caba090d08a4bd296166f4833c90e5c0057d1bd04e0d50592319bccaf4637

SHA512
cc4d1a9b2fc1596526e99488fffde8d39c263b5551c5c5696dacbe3065cf44f5a94d77a34821cfe10b53e0e9202c3328850bd53bc6e0d4aca3ff99d729e33168

Download Submit
C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe
Filesize
1.3MB

MD5
bced1e7139210b3cdd27938afeb88d8f

SHA1
06954c644d000863658b68dce36b6972f38da7d1

SHA256
d74aba28905fc35c7163604b9a807f289e00b0b28b4c88d06e308b4c977c1ea7

SHA512
310af594a2a744cb2e87aca3daeb2251d2219644bfc4f83fbcbce30119045fcbf68bd5a6ab318caa8090fd6598cc0de475c4687ae109458d71e11bf946df4b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe
Filesize
1.3MB

MD5
bced1e7139210b3cdd27938afeb88d8f

SHA1
06954c644d000863658b68dce36b6972f38da7d1

SHA256
d74aba28905fc35c7163604b9a807f289e00b0b28b4c88d06e308b4c977c1ea7

SHA512
310af594a2a744cb2e87aca3daeb2251d2219644bfc4f83fbcbce30119045fcbf68bd5a6ab318caa8090fd6598cc0de475c4687ae109458d71e11bf946df4b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleChromeUpdate\GoogleChromeUpdate.exe
Filesize
1.3MB

MD5
bced1e7139210b3cdd27938afeb88d8f

SHA1
06954c644d000863658b68dce36b6972f38da7d1

SHA256
d74aba28905fc35c7163604b9a807f289e00b0b28b4c88d06e308b4c977c1ea7

SHA512
310af594a2a744cb2e87aca3daeb2251d2219644bfc4f83fbcbce30119045fcbf68bd5a6ab318caa8090fd6598cc0de475c4687ae109458d71e11bf946df4b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LEUWPNKQEJNEQJPJSD4E.temp
Filesize
7KB

MD5
598ee337a1138c59c07ea8dbc6726153

SHA1
f8b4b7a28205489f7c690104917dbd46fe295578

SHA256
f8c993b0a8ce5a4eba7ac3f547d7e484fdccdee23948abce21ce505c54250b72

SHA512
673a4be0109b10b72fb5a2263ee3f0b7163a2266dd24d6f38881075ce3a2999175c48b0a204d46f2f897e6d17d39408487bb580c7dde13d9fed8ef2fb03fe0cd

Download Submit
C:\Users\Public\Desktop\taskhost.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
\ProgramData\componentsessioncrt.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
\ProgramData\componentsessioncrt.exe
Filesize
983KB

MD5
5defd0000aa1bf0805c8d2e2fc3ed20d

SHA1
e7a366a7a834e2ab3cabc3dd412f065c636b4efb

SHA256
fc11e2bbd6d3e8dce36393b3b00504ce8ed994e0498fffee0ce42d838ae51888

SHA512
e387cb219aec67da2eab62d7f091b8cad5b87cd971477f50c80ba263d009bc862ff272611a572de5cf51a27119e5ad0fae33cb9a4953b91768ed9252ebe84a7d

Download Submit
memory/1112-81-0x000000001AF00000-0x000000001AF80000-memory.dmp

Filesize
512KB

Download
memory/1112-78-0x0000000000F20000-0x000000000101E000-memory.dmp

Filesize
1016KB

Download
memory/1112-80-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/1112-79-0x0000000000880000-0x000000000088E000-memory.dmp

Filesize
56KB

Download
memory/1112-82-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2352-208-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2352-209-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2352-231-0x000000000292B000-0x0000000002962000-memory.dmp

Filesize
220KB

Download
memory/2352-222-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2360-192-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2360-187-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2360-189-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2360-194-0x00000000028DB000-0x0000000002912000-memory.dmp

Filesize
220KB

Download
memory/2368-227-0x000000000233B000-0x0000000002372000-memory.dmp

Filesize
220KB

Download
memory/2368-212-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2368-211-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2368-210-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2376-190-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/2376-193-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/2376-226-0x000000000237B000-0x00000000023B2000-memory.dmp

Filesize
220KB

Download
memory/2376-197-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/2392-200-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2392-201-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2392-225-0x00000000024DB000-0x0000000002512000-memory.dmp

Filesize
220KB

Download
memory/2400-207-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2400-204-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2400-206-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2400-228-0x00000000025BB000-0x00000000025F2000-memory.dmp

Filesize
220KB

Download
memory/2416-219-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/2416-233-0x000000000237B000-0x00000000023B2000-memory.dmp

Filesize
220KB

Download
memory/2416-220-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/2416-221-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/2432-216-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2432-218-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2432-217-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2432-232-0x000000000298B000-0x00000000029C2000-memory.dmp

Filesize
220KB

Download
memory/2448-198-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2448-224-0x00000000028CB000-0x0000000002902000-memory.dmp

Filesize
220KB

Download
memory/2448-199-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2456-229-0x000000000297B000-0x00000000029B2000-memory.dmp

Filesize
220KB

Download
memory/2456-205-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2456-203-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2456-202-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2476-195-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2476-223-0x00000000028CB000-0x0000000002902000-memory.dmp

Filesize
220KB

Download
memory/2476-196-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2476-191-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2476-186-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2476-185-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2492-215-0x0000000001ED0000-0x0000000001F50000-memory.dmp

Filesize
512KB

Download
memory/2492-214-0x0000000001ED0000-0x0000000001F50000-memory.dmp

Filesize
512KB

Download
memory/2492-213-0x0000000001ED0000-0x0000000001F50000-memory.dmp

Filesize
512KB

Download
memory/2492-230-0x0000000001EDB000-0x0000000001F12000-memory.dmp

Filesize
220KB

Download
memory/2604-188-0x000000001ADF0000-0x000000001AE70000-memory.dmp

Filesize
512KB

Download
memory/2604-127-0x0000000000CE0000-0x0000000000DDE000-memory.dmp

Filesize
1016KB

Download
memory/2604-234-0x000000001ADF0000-0x000000001AE70000-memory.dmp

Filesize
512KB

Download