dcrat | 3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Size

3.2MB
MD5

7ec98ffb225893aeee999179ca43380a
SHA1

d9ad6d24e771b5c2ebc4b4a70534329abfffe871
SHA256

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad
SHA512

9b8e4d9123b1b1686fc88e17e02aa3d05b998ad21f9314cd15b2da8751906bc04c2f749e279d04f3a1a5b40074ed89b33bae749b8e0546f7e665b32ce6dbca05
SSDEEP

49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4864	schtasks.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000050000-0x000000000038C000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	dcrat
C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\sysmon.exe	dcrat
C:\Windows\it-IT\smss.exe	dcrat

Detects executables packed with SmartAssembly 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3944-9-0x0000000002500000-0x0000000002510000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-13-0x000000001AF30000-0x000000001AF3A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-21-0x000000001B120000-0x000000001B12C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-22-0x000000001B130000-0x000000001B13C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-24-0x000000001B7B0000-0x000000001B7BC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-27-0x000000001B8C0000-0x000000001B8CA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-34-0x000000001BB70000-0x000000001BB7A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3944-32-0x000000001BA50000-0x000000001BA5C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fontdrvhost.exe3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 3 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid process

5296 fontdrvhost.exe
1892 fontdrvhost.exe
2188 fontdrvhost.exe

pid	process
5296	fontdrvhost.exe
1892	fontdrvhost.exe
2188	fontdrvhost.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fontdrvhost.exe3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Drops file in Program Files directory 46 IoCs

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Uninstall Information\fontdrvhost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\Mozilla Firefox\fonts\backgroundTaskHost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\Mozilla Firefox\fonts\eddb19405b7ce1	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE4BC.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXE8D6.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF09C.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF749.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\886983d96e3d3e	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\RuntimeBroker.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\9e8d7a4ca61bd9	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE43E.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXF535.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fontdrvhost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX32B.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\csrss.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCX105.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCX116.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX31B.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF09D.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXE8D7.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\RCXF320.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\RuntimeBroker.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXF534.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\55b276f4edf653	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\Windows Portable Devices\55b276f4edf653	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\csrss.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF75A.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Common Files\System\5b884080fd4f94	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXE228.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\RCXF31F.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\backgroundTaskHost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\taskhostw.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Common Files\System\fontdrvhost.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXE239.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe

Drops file in Windows directory 10 IoCs

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe

description	ioc	process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Windows\it-IT\RCXFE73.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Windows\it-IT\RCXFEF1.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\38384e6a620884	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Windows\it-IT\69ddcba757bf72	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXE6C0.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXE6C1.tmp	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File created	C:\Windows\it-IT\smss.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
File opened for modification	C:\Windows\it-IT\smss.exe	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2024	schtasks.exe
5064	schtasks.exe
2340	schtasks.exe
2656	schtasks.exe
4032	schtasks.exe
888	schtasks.exe
4260	schtasks.exe
4456	schtasks.exe
876	schtasks.exe
4580	schtasks.exe
2856	schtasks.exe
4448	schtasks.exe
1012	schtasks.exe
1324	schtasks.exe
4064	schtasks.exe
4848	schtasks.exe
3292	schtasks.exe
4992	schtasks.exe
4724	schtasks.exe
1424	schtasks.exe
3680	schtasks.exe
1760	schtasks.exe
4208	schtasks.exe
3552	schtasks.exe
2036	schtasks.exe
4508	schtasks.exe
2136	schtasks.exe
4660	schtasks.exe
2296	schtasks.exe
452	schtasks.exe
4792	schtasks.exe
892	schtasks.exe
4040	schtasks.exe
2388	schtasks.exe
1880	schtasks.exe
4480	schtasks.exe
2996	schtasks.exe
4988	schtasks.exe
980	schtasks.exe
860	schtasks.exe
5076	schtasks.exe
4892	schtasks.exe
3104	schtasks.exe
788	schtasks.exe
3392	schtasks.exe
3928	schtasks.exe
4460	schtasks.exe
4248	schtasks.exe
3656	schtasks.exe
228	schtasks.exe
224	schtasks.exe
1540	schtasks.exe
628	schtasks.exe
3892	schtasks.exe

Modifies registry class 4 IoCs

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe

pid	process
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	5296	fontdrvhost.exe
Token: SeDebugPrivilege	1892	fontdrvhost.exe
Token: SeDebugPrivilege	2188	fontdrvhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exefontdrvhost.exeWScript.exefontdrvhost.exeWScript.exefontdrvhost.exe

description	pid	process	target process
PID 3944 wrote to memory of 532	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 532	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 4876	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 4876	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1572	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1572	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 3244	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 3244	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 3400	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 3400	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1532	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1532	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 2944	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 2944	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 3628	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 3628	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 2424	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 2424	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1692	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1692	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1256	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 1256	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	powershell.exe
PID 3944 wrote to memory of 5296	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	fontdrvhost.exe
PID 3944 wrote to memory of 5296	3944	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe	fontdrvhost.exe
PID 5296 wrote to memory of 6028	5296	fontdrvhost.exe	WScript.exe
PID 5296 wrote to memory of 6028	5296	fontdrvhost.exe	WScript.exe
PID 5296 wrote to memory of 6072	5296	fontdrvhost.exe	WScript.exe
PID 5296 wrote to memory of 6072	5296	fontdrvhost.exe	WScript.exe
PID 6028 wrote to memory of 1892	6028	WScript.exe	fontdrvhost.exe
PID 6028 wrote to memory of 1892	6028	WScript.exe	fontdrvhost.exe
PID 1892 wrote to memory of 5564	1892	fontdrvhost.exe	WScript.exe
PID 1892 wrote to memory of 5564	1892	fontdrvhost.exe	WScript.exe
PID 1892 wrote to memory of 5916	1892	fontdrvhost.exe	WScript.exe
PID 1892 wrote to memory of 5916	1892	fontdrvhost.exe	WScript.exe
PID 5564 wrote to memory of 2188	5564	WScript.exe	fontdrvhost.exe
PID 5564 wrote to memory of 2188	5564	WScript.exe	fontdrvhost.exe
PID 2188 wrote to memory of 3824	2188	fontdrvhost.exe	WScript.exe
PID 2188 wrote to memory of 3824	2188	fontdrvhost.exe	WScript.exe
PID 2188 wrote to memory of 3192	2188	fontdrvhost.exe	WScript.exe
PID 2188 wrote to memory of 3192	2188	fontdrvhost.exe	WScript.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe
"C:\Users\Admin\AppData\Local\Temp\3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Recovery\WindowsRE\fontdrvhost.exe
"C:\Recovery\WindowsRE\fontdrvhost.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e592661-41e5-4cba-aef7-dcc2345d0f7a.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:6028

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0714bdc6-a1bd-4169-a4cc-524852a365cd.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:5564

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5575160-cd88-47b2-96fd-41a71b0ea934.vbs"
7⤵
PID:3824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d56da3a-d870-4e03-92f8-ef2a03c54da3.vbs"
7⤵
PID:3192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84162cac-2f99-476d-b6e0-f9d90b59f9ce.vbs"
5⤵
PID:5916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\501c18d3-7d7e-4480-a244-4c5a224114cd.vbs"
3⤵
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Pictures\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
Filesize
3.2MB

MD5
7ec98ffb225893aeee999179ca43380a

SHA1
d9ad6d24e771b5c2ebc4b4a70534329abfffe871

SHA256
3b99c63e4974eae49eba3ac380fc4c75ba6a4e38cd381a00cc32cee95e7596ad

SHA512
9b8e4d9123b1b1686fc88e17e02aa3d05b998ad21f9314cd15b2da8751906bc04c2f749e279d04f3a1a5b40074ed89b33bae749b8e0546f7e665b32ce6dbca05

Download Submit
C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
Filesize
3.2MB

MD5
5e2a824f46985e52d587746680439094

SHA1
7041468dad5e47a975142fce189637a1b917d087

SHA256
c030cf8823b22328ef323430de82371c9eeb8e686d8d2af0dc0cbffc00821825

SHA512
5a72ab675e61500f402924feb8d8d1dbfc914410ad38852b944a4b81a7be5c19ffe0f6648aae1578184e9b358c1ba1955cee691f656c1115089fa73aff6d59d4

Download Submit
C:\Recovery\WindowsRE\sysmon.exe
Filesize
3.2MB

MD5
68fbbf65c647ad8b9d0c3fc43cc8958a

SHA1
d7015103a03e5fbbe414f079768f820badf44343

SHA256
8098c4f02af98c867997d55ef5f8405bb83f099d3bc5262b9aae2935a0b5db47

SHA512
51c195888351bb2f67b6f77410379241775b7213f7e3dc01af7fa76a09b4cb8b4d12a8fdc2d039f5f07b5b2cb1815ae7ce76645d646458abe7cef704320e189c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
243347db405974f6277b941306d57ddb

SHA1
48a7563230d78ecfe8aaa7b749bf985c6078b4e4

SHA256
876100d0ce1aff677a0cab677787ca9858a989f4e5c13b05c8931f709232b835

SHA512
1c45eae761fb4224943debe2f2d553793146bb6d4bf2535de2bded3f9c78665607bc1fce7d4ecf905569488e42e42d0bf4b6d20dfcf8cda77a354b8faf17a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\0714bdc6-a1bd-4169-a4cc-524852a365cd.vbs
Filesize
713B

MD5
46201c706c33ca4dc9e4aa7a2e833724

SHA1
16cd2a2b8a9c36e7861b3ccabf318420b30991ac

SHA256
c1dd71505069503411fead48db78161df047b2e649d936fc434fb4dcc44a1bfa

SHA512
8ef1aec726336cb4bca227e5497e3df558691a687e3be86fb87bd62643bef409b3ebd2f9b9fa9a54c086e57b1d13ed0bdb076e2c30c6bfeffaa1d2c2740c56ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\501c18d3-7d7e-4480-a244-4c5a224114cd.vbs
Filesize
489B

MD5
098acd824bf32aa2631d9fa73d8925ff

SHA1
d9b7f3212fff41c800c71880b48a3e3bae2743c7

SHA256
372c1ef504ac04f6e44974734d76510bc71c1bdb2dc66ae10a27a451af3f5498

SHA512
24a969436a7e3558e2153945a0ab168e660970fd7159ce14a2c61861151f908ae71de39291f70f93179909e1075626c00a8839ade8bb68e0d9a8a5b8bb564af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e592661-41e5-4cba-aef7-dcc2345d0f7a.vbs
Filesize
713B

MD5
6fb5687b78e8b498961678e3e3b185d3

SHA1
e4d75b2dac37742d96fc97958ab07a925d55a033

SHA256
a0c0e2c08d0baf64c478deb290a00efa77517d3f8e18e5fc02458e17a0fac252

SHA512
1bb1cc2c8c08620a1f6d291c6ab7f8df0259469d1ac7897aa93d7b40694371d1470612a2ed37fb07f0e1b60f7776bdaaf231a646c8393b889a70742b4109279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfj5vouz.zez.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5575160-cd88-47b2-96fd-41a71b0ea934.vbs
Filesize
713B

MD5
ced3eae5e5cd8daa33e9cc9258314ae0

SHA1
dcf09a49cf44a4d8b6051a1c6696f63561e4c2f6

SHA256
3d21dec3a463fe1718d4cab0161431daa2d9872d46ccdba8abb80f48609bac8b

SHA512
b81c7d10459c0a900af021028421d4b804a9ab308b580a0212e1ab749b2c2e201ad51478d6f8b06d0c1e6bf28d9d6e781576081052f673be0b0d59ecb53ef386

Download Submit
C:\Windows\it-IT\smss.exe
Filesize
3.2MB

MD5
e1312ce2cb1bb3f91a7b5fad2efe1ca3

SHA1
61b88893984f28abfc36dc177ec1b0ab39202fae

SHA256
049df8dc7b299aa4768623c4576d3e9dd4d218c2aa898aa131f5e22b27404c98

SHA512
591a3601b2fffbf8da8d03e01885b8981f084f65fa9b656924a1c75cf8a032d028a39d91aa449edd6511b4a75aaab44646340671438959caa85a2b26199ace98

Download Submit
memory/532-459-0x00000188409C0000-0x00000188409D0000-memory.dmp

Filesize
64KB

Download
memory/1256-455-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/1256-456-0x0000025BB5E90000-0x0000025BB5EA0000-memory.dmp

Filesize
64KB

Download
memory/1256-457-0x0000025BB5E90000-0x0000025BB5EA0000-memory.dmp

Filesize
64KB

Download
memory/1532-458-0x00000209907A0000-0x00000209907B0000-memory.dmp

Filesize
64KB

Download
memory/1572-339-0x000002DEFD080000-0x000002DEFD090000-memory.dmp

Filesize
64KB

Download
memory/1572-338-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/1692-449-0x000002B243D40000-0x000002B243D50000-memory.dmp

Filesize
64KB

Download
memory/1692-447-0x000002B243D40000-0x000002B243D50000-memory.dmp

Filesize
64KB

Download
memory/2424-325-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/2424-327-0x000001AE6E520000-0x000001AE6E530000-memory.dmp

Filesize
64KB

Download
memory/2944-415-0x0000028AAD080000-0x0000028AAD090000-memory.dmp

Filesize
64KB

Download
memory/2944-435-0x0000028AAD080000-0x0000028AAD090000-memory.dmp

Filesize
64KB

Download
memory/2944-413-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3244-324-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3244-460-0x000001B761E50000-0x000001B761E60000-memory.dmp

Filesize
64KB

Download
memory/3244-326-0x000001B761E50000-0x000001B761E60000-memory.dmp

Filesize
64KB

Download
memory/3400-337-0x0000024632B70000-0x0000024632B92000-memory.dmp

Filesize
136KB

Download
memory/3400-454-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3628-425-0x0000020E51120000-0x0000020E51130000-memory.dmp

Filesize
64KB

Download
memory/3628-414-0x0000020E51120000-0x0000020E51130000-memory.dmp

Filesize
64KB

Download
memory/3628-385-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3944-20-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

Filesize
5.2MB

Download
memory/3944-0-0x0000000000050000-0x000000000038C000-memory.dmp

Filesize
3.2MB

Download
memory/3944-21-0x000000001B120000-0x000000001B12C000-memory.dmp

Filesize
48KB

Download
memory/3944-19-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

Filesize
72KB

Download
memory/3944-16-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/3944-23-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

Filesize
48KB

Download
memory/3944-35-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/3944-32-0x000000001BA50000-0x000000001BA5C000-memory.dmp

Filesize
48KB

Download
memory/3944-33-0x000000001BA60000-0x000000001BA68000-memory.dmp

Filesize
32KB

Download
memory/3944-17-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

Filesize
48KB

Download
memory/3944-34-0x000000001BB70000-0x000000001BB7A000-memory.dmp

Filesize
40KB

Download
memory/3944-18-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

Filesize
32KB

Download
memory/3944-15-0x000000001AF40000-0x000000001AF4C000-memory.dmp

Filesize
48KB

Download
memory/3944-27-0x000000001B8C0000-0x000000001B8CA000-memory.dmp

Filesize
40KB

Download
memory/3944-29-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

Filesize
56KB

Download
memory/3944-30-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/3944-31-0x000000001BA40000-0x000000001BA4E000-memory.dmp

Filesize
56KB

Download
memory/3944-28-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3944-26-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3944-443-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3944-25-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

Filesize
32KB

Download
memory/3944-78-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3944-450-0x000000001B149000-0x000000001B14F000-memory.dmp

Filesize
24KB

Download
memory/3944-452-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3944-1-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download
memory/3944-2-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3944-24-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/3944-14-0x000000001B750000-0x000000001B7A6000-memory.dmp

Filesize
344KB

Download
memory/3944-13-0x000000001AF30000-0x000000001AF3A000-memory.dmp

Filesize
40KB

Download
memory/3944-10-0x000000001AF00000-0x000000001AF16000-memory.dmp

Filesize
88KB

Download
memory/3944-11-0x000000001AF20000-0x000000001AF28000-memory.dmp

Filesize
32KB

Download
memory/3944-12-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/3944-22-0x000000001B130000-0x000000001B13C000-memory.dmp

Filesize
48KB

Download
memory/3944-9-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3944-8-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/3944-7-0x000000001AF50000-0x000000001AFA0000-memory.dmp

Filesize
320KB

Download
memory/3944-5-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/3944-6-0x00000000024D0000-0x00000000024EC000-memory.dmp

Filesize
112KB

Download
memory/3944-4-0x00000000024B0000-0x00000000024BE000-memory.dmp

Filesize
56KB

Download
memory/3944-3-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/4876-453-0x0000015F3E1F0000-0x0000015F3E200000-memory.dmp

Filesize
64KB

Download
memory/4876-451-0x00007FF947640000-0x00007FF948101000-memory.dmp

Filesize
10.8MB

Download