dcrat | 5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

Analysis

max time kernel
105s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Size

1.5MB
MD5

8a3610882dcd50607fd3fa01d7a27b70
SHA1

3f3823159964a51f3e55decdbe83abaf79ba9d8a
SHA256

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781
SHA512

faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444
SSDEEP

24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		2416	schtasks.exe
		2324	schtasks.exe
		1524	schtasks.exe
		2456	schtasks.exe
		1096	schtasks.exe
		1456	schtasks.exe
		2176	schtasks.exe
		2608	schtasks.exe
		4540	schtasks.exe
		4552	schtasks.exe
File created	C:\Program Files\Uninstall Information\Registry.exe		5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
		3296	schtasks.exe
		1496	schtasks.exe
		2980	schtasks.exe
		2448	schtasks.exe
		4828	schtasks.exe
		4436	schtasks.exe
		3580	schtasks.exe
		4768	schtasks.exe
		2344	schtasks.exe
		4332	schtasks.exe
		3076	schtasks.exe
		2952	schtasks.exe
		5036	schtasks.exe
		3116	schtasks.exe
		4376	schtasks.exe
		4728	schtasks.exe
		1480	schtasks.exe
		5000	schtasks.exe
		2580	schtasks.exe
		3388	schtasks.exe
		2116	schtasks.exe
		1696	schtasks.exe
		3412	schtasks.exe
		1624	schtasks.exe
		4732	schtasks.exe
		1488	schtasks.exe
		1440	schtasks.exe
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382		5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
		2672	schtasks.exe
		3316	schtasks.exe
		3972	schtasks.exe
		1804	schtasks.exe
		4784	schtasks.exe
		4268	schtasks.exe
		4452	schtasks.exe
		1044	schtasks.exe
		3724	schtasks.exe
		3632	schtasks.exe
		2440	schtasks.exe
		3716	schtasks.exe
		2740	schtasks.exe
		1324	schtasks.exe
		3800	schtasks.exe
		3228	schtasks.exe
		2868	schtasks.exe
		3908	schtasks.exe
		3420	schtasks.exe
		940	schtasks.exe
		2916	schtasks.exe
		2136	schtasks.exe
		4700	schtasks.exe
		4116	schtasks.exe
		4212	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\", \"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\ProgramData\\ssh\\dwm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\", \"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\", \"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\", \"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\upfc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\", \"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\ProgramData\\ssh\\dwm.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Examples\\Validator\\upfc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Users\\Admin\\Recent\\Idle.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\", \"C:\\Windows\\debug\\dllhost.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\", \"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Documents and Settings\\explorer.exe\", \"C:\\Documents and Settings\\unsecapp.exe\", \"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Documents and Settings\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1708	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1708	schtasks.exe	85

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
876	powershell.exe
3336	powershell.exe
940	powershell.exe
4124	powershell.exe
2912	powershell.exe
4408	powershell.exe
772	powershell.exe
4880	powershell.exe
5048	powershell.exe
1760	powershell.exe
1104	powershell.exe
2292	powershell.exe
5016	powershell.exe
1368	powershell.exe
1316	powershell.exe
3548	powershell.exe
2760	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exefontdrvhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 2 IoCs

Processes:

fontdrvhost.exefontdrvhost.exe

pid	Process
5240	fontdrvhost.exe
5068	fontdrvhost.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\ssh\\dwm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Examples\\Validator\\upfc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Uninstall Information\\Registry.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Internet Explorer\\es-ES\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\sihost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Recent\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\debug\\dllhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\regid.1991-06.com.microsoft\\backgroundTaskHost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Documents and Settings\\unsecapp.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Start Menu\\fontdrvhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\upfc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Drops file in Program Files directory 16 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX9655.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\RCXB70C.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Uninstall Information\Registry.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Internet Explorer\es-ES\6ccacd8608530f	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Uninstall Information\Registry.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea1d8f6d871115	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\ea1d8f6d871115	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCX9E87.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\Idle.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXAE0F.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Internet Explorer\es-ES\Idle.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Drops file in Windows directory 4 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
File opened for modification	C:\Windows\debug\RCX9C73.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\debug\dllhost.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\debug\dllhost.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\debug\5940a34987c991	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exefontdrvhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3692	schtasks.exe
4436	schtasks.exe
2868	schtasks.exe
2980	schtasks.exe
2952	schtasks.exe
1624	schtasks.exe
4540	schtasks.exe
4376	schtasks.exe
4768	schtasks.exe
3388	schtasks.exe
4552	schtasks.exe
2344	schtasks.exe
4828	schtasks.exe
3972	schtasks.exe
3420	schtasks.exe
1044	schtasks.exe
1480	schtasks.exe
4700	schtasks.exe
3228	schtasks.exe
2916	schtasks.exe
1804	schtasks.exe
1524	schtasks.exe
4268	schtasks.exe
2416	schtasks.exe
2456	schtasks.exe
5036	schtasks.exe
3296	schtasks.exe
3908	schtasks.exe
3724	schtasks.exe
1496	schtasks.exe
1456	schtasks.exe
2116	schtasks.exe
2324	schtasks.exe
3632	schtasks.exe
940	schtasks.exe
1440	schtasks.exe
3716	schtasks.exe
3412	schtasks.exe
3116	schtasks.exe
3800	schtasks.exe
4332	schtasks.exe
2580	schtasks.exe
4452	schtasks.exe
2672	schtasks.exe
4116	schtasks.exe
3580	schtasks.exe
4212	schtasks.exe
1488	schtasks.exe
2136	schtasks.exe
2440	schtasks.exe
3076	schtasks.exe
2176	schtasks.exe
4728	schtasks.exe
1096	schtasks.exe
2740	schtasks.exe
5000	schtasks.exe
3120	schtasks.exe
4784	schtasks.exe
2608	schtasks.exe
4732	schtasks.exe
1696	schtasks.exe
1324	schtasks.exe
2448	schtasks.exe
3316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
5048	powershell.exe
5048	powershell.exe
4124	powershell.exe
4124	powershell.exe
1316	powershell.exe
1316	powershell.exe
5016	powershell.exe
5016	powershell.exe
2912	powershell.exe
2912	powershell.exe
3548	powershell.exe
3548	powershell.exe
2760	powershell.exe
1760	powershell.exe
2760	powershell.exe
1760	powershell.exe
876	powershell.exe
876	powershell.exe
4408	powershell.exe
4408	powershell.exe
1104	powershell.exe
1104	powershell.exe
2292	powershell.exe
2292	powershell.exe
3336	powershell.exe
3336	powershell.exe
940	powershell.exe
940	powershell.exe
1368	powershell.exe
1368	powershell.exe
4880	powershell.exe
4880	powershell.exe
772	powershell.exe
772	powershell.exe
4124	powershell.exe
1316	powershell.exe
4408	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	5240	fontdrvhost.exe
Token: SeDebugPrivilege	5068	fontdrvhost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exefontdrvhost.exeWScript.exe

description	pid	Process	procid_target
PID 4532 wrote to memory of 5016	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	161
PID 4532 wrote to memory of 5016	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	161
PID 4532 wrote to memory of 1368	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	162
PID 4532 wrote to memory of 1368	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	162
PID 4532 wrote to memory of 1316	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	163
PID 4532 wrote to memory of 1316	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	163
PID 4532 wrote to memory of 4880	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	164
PID 4532 wrote to memory of 4880	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	164
PID 4532 wrote to memory of 2912	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	165
PID 4532 wrote to memory of 2912	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	165
PID 4532 wrote to memory of 5048	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	166
PID 4532 wrote to memory of 5048	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	166
PID 4532 wrote to memory of 876	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	167
PID 4532 wrote to memory of 876	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	167
PID 4532 wrote to memory of 4408	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	168
PID 4532 wrote to memory of 4408	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	168
PID 4532 wrote to memory of 3336	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	169
PID 4532 wrote to memory of 3336	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	169
PID 4532 wrote to memory of 1760	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	170
PID 4532 wrote to memory of 1760	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	170
PID 4532 wrote to memory of 1104	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	171
PID 4532 wrote to memory of 1104	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	171
PID 4532 wrote to memory of 4124	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	172
PID 4532 wrote to memory of 4124	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	172
PID 4532 wrote to memory of 772	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	173
PID 4532 wrote to memory of 772	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	173
PID 4532 wrote to memory of 2292	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	174
PID 4532 wrote to memory of 2292	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	174
PID 4532 wrote to memory of 3548	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	175
PID 4532 wrote to memory of 3548	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	175
PID 4532 wrote to memory of 940	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	176
PID 4532 wrote to memory of 940	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	176
PID 4532 wrote to memory of 2760	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	177
PID 4532 wrote to memory of 2760	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	177
PID 4532 wrote to memory of 5240	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	195
PID 4532 wrote to memory of 5240	4532	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	195
PID 5240 wrote to memory of 5672	5240	fontdrvhost.exe	196
PID 5240 wrote to memory of 5672	5240	fontdrvhost.exe	196
PID 5240 wrote to memory of 5788	5240	fontdrvhost.exe	197
PID 5240 wrote to memory of 5788	5240	fontdrvhost.exe	197
PID 5672 wrote to memory of 5068	5672	WScript.exe	203
PID 5672 wrote to memory of 5068	5672	WScript.exe	203

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
"C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\regid.1991-06.com.microsoft\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\ssh\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02311f8c-63b1-4440-a1b2-9448ce139b83.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5672
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9979110-27b1-4267-b432-b61e4ea49195.vbs"
    3⤵
    PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "58VORegistry" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vZSCRegistry" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LjDoRegistry" /sc ONSTART /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "qAqHIdle" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ac39Idle" /sc ONLOGON /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "L1QcIdle" /sc ONSTART /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MfU5sihost" /sc MINUTE /mo 5 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GqSLsihost" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vcsgsihost" /sc ONSTART /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 10 /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1UZKdllhost" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SZEtdllhost" /sc ONLOGON /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6Jundllhost" /sc ONSTART /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "W4OLIdle" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hp5HIdle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bP2EIdle" /sc ONSTART /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\es-ES\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ixm7backgroundTaskHost" /sc MINUTE /mo 9 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vsdRbackgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "823IbackgroundTaskHost" /sc ONSTART /tr "'C:\ProgramData\regid.1991-06.com.microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 5 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "q5v9dwm" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9FtOdwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aZbldwm" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XHKZfontdrvhost" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xS0sfontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wPngfontdrvhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Dt89explorer" /sc MINUTE /mo 5 /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Vd9Eexplorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UwfGexplorer" /sc ONSTART /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "We4Ounsecapp" /sc MINUTE /mo 7 /tr "'C:\Documents and Settings\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UjaBunsecapp" /sc ONLOGON /tr "'C:\Documents and Settings\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zdKsunsecapp" /sc ONSTART /tr "'C:\Documents and Settings\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "y0Hyfontdrvhost" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LvpOfontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8tj7fontdrvhost" /sc ONSTART /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "qt4xupfc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eGpYupfc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "g1sNupfc" /sc ONSTART /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BiXPupfc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "i3DJupfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MtFdupfc" /sc ONSTART /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tKbHcsrss" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ajs8csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mzkpcsrss" /sc ONSTART /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\Documents and Settings\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "izSzdwm" /sc MINUTE /mo 14 /tr "'C:\ProgramData\ssh\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6XqRdwm" /sc ONLOGON /tr "'C:\ProgramData\ssh\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tnmgdwm" /sc ONSTART /tr "'C:\ProgramData\ssh\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 12 /tr "'C:\ProgramData\ssh\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7jIuupfc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bm4Supfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aXcCupfc" /sc ONSTART /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\es-ES\Idle.exe

Filesize
1.5MB

MD5
8a3610882dcd50607fd3fa01d7a27b70

SHA1
3f3823159964a51f3e55decdbe83abaf79ba9d8a

SHA256
5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

SHA512
faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\upfc.exe

Filesize
1.5MB

MD5
ea85366d1b511067ec850e60d465e62d

SHA1
6406fee0a8887250f91280bf6c4f95e5c4aade6e

SHA256
dca39e6e8ea41b765c6a86de48991e585211aa248e8faa6e94b7256491f3716c

SHA512
d96ceb3f01f8523d3db1309f2d193d2e7f054028e9b6d61e476320591bd12d407a014d5b8a83a10a17b4567e9580528924f122197273515914ada87337da0efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\02311f8c-63b1-4440-a1b2-9448ce139b83.vbs

Filesize
713B

MD5
fa0e00b8e9587c848b0c5ef05fae2523

SHA1
d9c807bbd29c31e501095f139470291f3e83a1ab

SHA256
be3c6893bfda5076d2b1b857ef9c77ca1bc5a2c617a675508b2fd8afe1b0c9cc

SHA512
1838c4bd5a4dab4d9680c0b6c21988424882c8c12f0d2f58688a185ef452848fc586e671ae9fb9ddfe07210e621b57bcea63e76a73fd837a8665eb8d4984bc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1t1cwfp.l14.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9979110-27b1-4267-b432-b61e4ea49195.vbs

Filesize
489B

MD5
a96552175629ebb11236bde9255015d1

SHA1
6de966d82439c32f1c9810a5b4a6ea9fbcae3058

SHA256
a9d9e674177c6cf1286b0e222ac9d94530fcac9b36b6fedc6c2dba3f10f3a94d

SHA512
c456f2be83ffccabc8e621f0f394132fa353cce35f729447c90c4f3ddb4fc19bc254f1b950db738543771c9e94c8bbffb1a1bc281b53b8feb59c917adf062792

Download Submit
memory/1316-216-0x0000016D5BA60000-0x0000016D5BA82000-memory.dmp

Filesize
136KB

Download
memory/4532-14-0x000000001AE80000-0x000000001AE8C000-memory.dmp

Filesize
48KB

Download
memory/4532-8-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/4532-11-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/4532-0-0x00007FFE304F3000-0x00007FFE304F5000-memory.dmp

Filesize
8KB

Download
memory/4532-12-0x000000001AE60000-0x000000001AE6C000-memory.dmp

Filesize
48KB

Download
memory/4532-129-0x00007FFE304F3000-0x00007FFE304F5000-memory.dmp

Filesize
8KB

Download
memory/4532-10-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/4532-144-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-9-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/4532-13-0x000000001AE70000-0x000000001AE7A000-memory.dmp

Filesize
40KB

Download
memory/4532-372-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-7-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4532-4-0x000000001AE10000-0x000000001AE60000-memory.dmp

Filesize
320KB

Download
memory/4532-6-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4532-5-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/4532-3-0x0000000000BC0000-0x0000000000BDC000-memory.dmp

Filesize
112KB

Download
memory/4532-2-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-1-0x0000000000100000-0x000000000028C000-memory.dmp

Filesize
1.5MB

Download