dcrat | 5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01

Analysis

max time kernel
116s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Size

1.1MB
MD5

7f1a6a71484ac1b261fe91aa1c83ba40
SHA1

fc04b2dc24f946b1a18a36c5a565a66c60cb740b
SHA256

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01
SHA512

7c798991dd774434f04d535d5f34982f8c868ec3fb595d773da64364cf0430bbe44d49056c35a27e2b4161c4daad94989344c250dc6fb1c976e7d230eedb7661
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3280	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1360-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1852	powershell.exe
3512	powershell.exe
2584	powershell.exe
4424	powershell.exe
64	powershell.exe
3876	powershell.exe
2772	powershell.exe
2004	powershell.exe
3616	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe

Executes dropped EXE 5 IoCs

Processes:

MoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe

pid process

2712 MoUsoCoreWorker.exe
3388 MoUsoCoreWorker.exe
3052 MoUsoCoreWorker.exe
2788 MoUsoCoreWorker.exe
212 MoUsoCoreWorker.exe

pid	process
2712	MoUsoCoreWorker.exe
3388	MoUsoCoreWorker.exe
3052	MoUsoCoreWorker.exe
2788	MoUsoCoreWorker.exe
212	MoUsoCoreWorker.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe

description	pid	process	target process
PID 3228 set thread context of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 2712 set thread context of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 3052 set thread context of 2788	3052	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe

Drops file in Program Files directory 10 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\RCXF8CB.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXFDC0.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\TextInputHost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Uninstall Information\55b276f4edf653	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Mail\TextInputHost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF8CC.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXFE3E.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Mail\22eafd247d37c3	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Drops file in Windows directory 15 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

description	ioc	process
File opened for modification	C:\Windows\TAPI\RCXEFBA.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\TAPI\RCXEFBB.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\Fonts\RCX43.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\Fonts\RCXC1.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\TAPI\Registry.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\TAPI\ee2ad38f3d4382	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\Fonts\SearchApp.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\es-ES\MoUsoCoreWorker.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\Fonts\38384e6a620884	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\es-ES\MoUsoCoreWorker.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\Fonts\SearchApp.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\TAPI\Registry.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\es-ES\1f93f77a7f4778	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\es-ES\RCXF442.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\es-ES\RCXF443.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MoUsoCoreWorker.exeWScript.exeMoUsoCoreWorker.exepowershell.exepowershell.exepowershell.exew32tm.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exepowershell.exeWScript.exeWScript.exe5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exepowershell.exepowershell.exepowershell.exeWScript.exe5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exepowershell.exepowershell.execmd.exeMoUsoCoreWorker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoUsoCoreWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoUsoCoreWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoUsoCoreWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoUsoCoreWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoUsoCoreWorker.exe

Modifies registry class 3 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	MoUsoCoreWorker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3580	schtasks.exe
1184	schtasks.exe
2768	schtasks.exe
5088	schtasks.exe
4432	schtasks.exe
4684	schtasks.exe
2456	schtasks.exe
3460	schtasks.exe
2296	schtasks.exe
1452	schtasks.exe
2788	schtasks.exe
1572	schtasks.exe
2088	schtasks.exe
2040	schtasks.exe
692	schtasks.exe
1132	schtasks.exe
3520	schtasks.exe
1700	schtasks.exe
1072	schtasks.exe
4804	schtasks.exe
3544	schtasks.exe
2524	schtasks.exe
1632	schtasks.exe
2280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe

pid	process
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
3512	powershell.exe
3512	powershell.exe
2004	powershell.exe
2004	powershell.exe
64	powershell.exe
64	powershell.exe
3616	powershell.exe
3616	powershell.exe
2584	powershell.exe
2584	powershell.exe
2772	powershell.exe
2772	powershell.exe
1852	powershell.exe
1852	powershell.exe
3876	powershell.exe
3876	powershell.exe
4424	powershell.exe
4424	powershell.exe
64	powershell.exe
2004	powershell.exe
3512	powershell.exe
1852	powershell.exe
4424	powershell.exe
2584	powershell.exe
3616	powershell.exe
2772	powershell.exe
3876	powershell.exe
3388	MoUsoCoreWorker.exe
2788	MoUsoCoreWorker.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	3388	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	2788	MoUsoCoreWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.execmd.exew32tm.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeWScript.exeMoUsoCoreWorker.exe

description	pid	process	target process
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 3228 wrote to memory of 1360	3228	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
PID 1360 wrote to memory of 3512	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3512	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3512	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 64	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 64	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 64	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 4424	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 4424	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 4424	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2584	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2584	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2584	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2772	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2772	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2772	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2004	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2004	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 2004	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3876	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3876	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3876	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 1852	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 1852	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 1852	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3616	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3616	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 3616	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	powershell.exe
PID 1360 wrote to memory of 1768	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	cmd.exe
PID 1360 wrote to memory of 1768	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	cmd.exe
PID 1360 wrote to memory of 1768	1360	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	cmd.exe
PID 1768 wrote to memory of 4352	1768	cmd.exe	w32tm.exe
PID 1768 wrote to memory of 4352	1768	cmd.exe	w32tm.exe
PID 1768 wrote to memory of 4352	1768	cmd.exe	w32tm.exe
PID 4352 wrote to memory of 4904	4352	w32tm.exe	w32tm.exe
PID 4352 wrote to memory of 4904	4352	w32tm.exe	w32tm.exe
PID 1768 wrote to memory of 2712	1768	cmd.exe	MoUsoCoreWorker.exe
PID 1768 wrote to memory of 2712	1768	cmd.exe	MoUsoCoreWorker.exe
PID 1768 wrote to memory of 2712	1768	cmd.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 2712 wrote to memory of 3388	2712	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe
PID 3388 wrote to memory of 2900	3388	MoUsoCoreWorker.exe	WScript.exe
PID 3388 wrote to memory of 2900	3388	MoUsoCoreWorker.exe	WScript.exe
PID 3388 wrote to memory of 2900	3388	MoUsoCoreWorker.exe	WScript.exe
PID 3388 wrote to memory of 544	3388	MoUsoCoreWorker.exe	WScript.exe
PID 3388 wrote to memory of 544	3388	MoUsoCoreWorker.exe	WScript.exe
PID 3388 wrote to memory of 544	3388	MoUsoCoreWorker.exe	WScript.exe
PID 2900 wrote to memory of 3052	2900	WScript.exe	MoUsoCoreWorker.exe
PID 2900 wrote to memory of 3052	2900	WScript.exe	MoUsoCoreWorker.exe
PID 2900 wrote to memory of 3052	2900	WScript.exe	MoUsoCoreWorker.exe
PID 3052 wrote to memory of 2788	3052	MoUsoCoreWorker.exe	MoUsoCoreWorker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
"C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\Registry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\MoUsoCoreWorker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\SearchApp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4904
  - - C:\Windows\es-ES\MoUsoCoreWorker.exe
      "C:\Windows\es-ES\MoUsoCoreWorker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\es-ES\MoUsoCoreWorker.exe
        
        "{path}"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9429b61-bd4b-49e4-8515-a82ce1e5f9ac.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\es-ES\MoUsoCoreWorker.exe
        
        C:\Windows\es-ES\MoUsoCoreWorker.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\es-ES\MoUsoCoreWorker.exe
        
        "{path}"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\805900b7-4c75-4845-930c-22a861ef5c98.vbs"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\es-ES\MoUsoCoreWorker.exe
        
        C:\Windows\es-ES\MoUsoCoreWorker.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0fa4d95-511b-4b1b-8d52-395c22270514.vbs"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\405f1afe-21ba-4ec7-89c9-0f512d37df16.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\TAPI\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\es-ES\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N" /sc ONLOGON /tr "'C:\Users\Default\Pictures\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\TextInputHost.exe

Filesize
1.1MB

MD5
049f7057bfb76e3ff278da3343fe2b68

SHA1
679b85bd652aea67e79faad1efe29be581fcc582

SHA256
1d249f1e78fc47330ed509e8daafcb4acbabd1c074a351dfdf245ef02a4e64ab

SHA512
ce93019914d8e190759aeb12094027236856381ddb4df2eeb5852f69d0289d8d4a70c2bfbd583c40f00387747b8a6e4da4d81cd4b97b9b2019d5f61028c70b14

Download Submit
C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe

Filesize
1.1MB

MD5
7f1a6a71484ac1b261fe91aa1c83ba40

SHA1
fc04b2dc24f946b1a18a36c5a565a66c60cb740b

SHA256
5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01

SHA512
7c798991dd774434f04d535d5f34982f8c868ec3fb595d773da64364cf0430bbe44d49056c35a27e2b4161c4daad94989344c250dc6fb1c976e7d230eedb7661

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
1.1MB

MD5
25e73a0f1ceae4d4b9d15e05a7c86b1c

SHA1
48e90b39195963779e3715cf13d277bae8ca9c0e

SHA256
5fe9460bb08f2ff8ef9efc34a8bbc27eff231ec44c3fe5809445cfa3512f7a88

SHA512
b17feff72dbb926a607125a1972160620e17ceb5aad9586023102f64785bd463802c09c10cf44fc29792dd678e3099b58dcfbd9b7dc90e73cb0a7f869a15823d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2d6fd1c703e7db65873b56bed965907f

SHA1
a5508867eb0bb3fd387553f9db5069d86fb478e0

SHA256
c49fedb6ce4d1519ed710706f291a629261065361d6b74f591890dce90b04363

SHA512
d1ffdb16704c4d346ad143c49f24b31122e60ce6f80de28c0b6c641d57174b7c86b7113080b7031f53f85b81b7cd925650c26ee2d7f2f3b869f5c8d1164e9098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4fb83356691d1977d9680f289725bdd9

SHA1
a4b3ffe89dba23839a087728d9fa81a909702f6c

SHA256
f0daf0e2e0ed9a16cb89e85c37bbfec8add40489d0d89065e7d25d0dce4ad602

SHA512
25a629df6b255720b13c4fd9d60615346a2d033069ab854022f571dde26191cbcf146c919a96ddb820eee7bcdb663f6dc1f75e3d2ee729ebe5cb5b373ee06250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
03ace0368558154ccda6ce609162c6d1

SHA1
85047b043319848eb3574d8d6e0a0417937a6c00

SHA256
10e6c318700944bbca33d581507f46e6c8826be3afbf7b48c62730ea8e1f0b8c

SHA512
86b9d6a44e927bda3495077e19c1e7013a17353dc957c91527d79f4e0dcc8c901bbcc9b57c74c9a807d7b25d3709fdb6e497b26657ed72253418297188d64e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
55fd89647131cae6a4e3e5891432735c

SHA1
aec9a7cdbd0c1ec3ba22240d2e7448c427170c32

SHA256
e9aa1cc880b6fa4576c4525d0c6426eff92fb62b67bd323aa21d5b962426a8ec

SHA512
991361fbf83a17d72461b19a9804c3fae1722df03941190b1b8c40ab9c190489c2e72842125310341eb4da04046af8e3531021f7b4b15bddc972d392e5d6f156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
66220b1005f367bf0cf4f2f2234952ab

SHA1
01845e6e514202a996066949f8d078251359a3e8

SHA256
b56464d7b708d854406090710d5a67960e4e40fdbf6d46588d41e79fdf978746

SHA512
946bb07c5890b05b631e146ae2768f7cbe7998137799f448d8f6c5232e78d5acd71ecdcb14815a6c586e2efc04f0cf3fc992f32803267b6412ea3f48d690a25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\405f1afe-21ba-4ec7-89c9-0f512d37df16.vbs

Filesize
488B

MD5
27cfd3eb09d7ba554a574bae4f5d70e8

SHA1
9c586f5b12fe5e9f8d459b85114da005fb79f2fe

SHA256
040b8321950b8e9b313b029f75c6d5bc8143d6f5438ff88f3a4b151218f640e7

SHA512
178ccb47614adf94b40a491030e4eb134a2515cee7c1c6152e1c9330c22604e53201b919c4c77941c9ae919956c122fe31577550649abe0c95b6b03110392d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\805900b7-4c75-4845-930c-22a861ef5c98.vbs

Filesize
712B

MD5
c622940cc0986394e3e6f79eb1a379ad

SHA1
f359743c16e74c5df494ada1a56bf502753f4234

SHA256
d55868fc47f224d29a1351a37d530b45599c31e696d1092572fcf760aaddce71

SHA512
6a790f5731daa70af6ee7d60c36090773b754d0b5b5ef5f2be7bf02e0e881e971f7b4a786950f15fb03aed37ac3b3be734b3c0db57b3f8050f1d22f827a5ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmw5qogw.d4k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9429b61-bd4b-49e4-8515-a82ce1e5f9ac.vbs

Filesize
712B

MD5
7332c4c94648478d0f16bf82353d46e9

SHA1
6d7b8d0574b1efec17be3155aec2eaf1b2e4ce5b

SHA256
b5ede6ec8cd94cf6e1680c3844fbe64786374c3f7f994ceef5f25eb999641180

SHA512
59b4dc9ba6c1a1b6646399ceca10bf450f6ef737e0cada9da5c8a321f6cf455f8b0354fdda3acb3d28240c75794008cc2f96a110ae4e1b4634ad100cf92823ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat

Filesize
201B

MD5
7299970b3e31e84c4458d72129705f42

SHA1
f37e05b10374881f418376c1f8c3700f7c04a09d

SHA256
5e1da2bd86431f5a74ec82b93d1ecdda0351ebdc48de5686543692c23683e27e

SHA512
97a22cd4f29e17d34f6d36c7cefefd1af658e3d5f246b0a2b9083dc05707c1c09f44ee6a48cbe84f8d26e90752b23ec2d4daa92f796e63062506147ef1c74d6a

Download Submit
C:\Windows\Fonts\SearchApp.exe

Filesize
1.1MB

MD5
d9a1d7463dadfe76566f50b92f6b3573

SHA1
418078ef3c7c645f2ec98dc4b45f30819207430e

SHA256
0c80e08322d4765c8e51d545e9fe107f88484666a24f2b59ab717f2b460c4537

SHA512
dfe4fc5c73e87061ba09dea84a4d3f6191bbe6f57a113199dffc4f570c74a355004279382b6385e209a797142fa89671075ea5b0504ecd3dfe0d678cbc880d67

Download Submit
memory/64-340-0x0000000007390000-0x00000000073A4000-memory.dmp

Filesize
80KB

Download
memory/64-236-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/64-166-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/64-150-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/64-151-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/64-237-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/64-148-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/64-147-0x00000000047F0000-0x0000000004826000-memory.dmp

Filesize
216KB

Download
memory/64-251-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/64-342-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/64-343-0x0000000007470000-0x0000000007478000-memory.dmp

Filesize
32KB

Download
memory/1360-20-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/1360-21-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/1360-30-0x0000000006010000-0x000000000601C000-memory.dmp

Filesize
48KB

Download
memory/1360-33-0x0000000006980000-0x00000000069E6000-memory.dmp

Filesize
408KB

Download
memory/1360-27-0x0000000005FA0000-0x0000000005FAE000-memory.dmp

Filesize
56KB

Download
memory/1360-28-0x0000000005FC0000-0x0000000005FCC000-memory.dmp

Filesize
48KB

Download
memory/1360-26-0x0000000005F80000-0x0000000005F8A000-memory.dmp

Filesize
40KB

Download
memory/1360-25-0x0000000005F70000-0x0000000005F7C000-memory.dmp

Filesize
48KB

Download
memory/1360-24-0x0000000009330000-0x000000000985C000-memory.dmp

Filesize
5.2MB

Download
memory/1360-23-0x0000000005ED0000-0x0000000005EE2000-memory.dmp

Filesize
72KB

Download
memory/1360-22-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/1360-29-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

Filesize
40KB

Download
memory/1360-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1360-167-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1360-19-0x0000000005E70000-0x0000000005EC0000-memory.dmp

Filesize
320KB

Download
memory/1360-18-0x0000000002F80000-0x0000000002F9C000-memory.dmp

Filesize
112KB

Download
memory/1360-17-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1360-15-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1852-335-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/1852-334-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/1852-339-0x0000000007910000-0x000000000791E000-memory.dmp

Filesize
56KB

Download
memory/1852-254-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/2004-271-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/2584-272-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/2712-341-0x0000000005060000-0x0000000005072000-memory.dmp

Filesize
72KB

Download
memory/2772-321-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/3228-8-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/3228-10-0x0000000007680000-0x0000000007776000-memory.dmp

Filesize
984KB

Download
memory/3228-1-0x00000000005C0000-0x00000000006EC000-memory.dmp

Filesize
1.2MB

Download
memory/3228-2-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/3228-3-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/3228-4-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/3228-6-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/3228-5-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3228-7-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/3228-16-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3228-0-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/3228-9-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3228-11-0x0000000009C70000-0x0000000009D9E000-memory.dmp

Filesize
1.2MB

Download
memory/3512-333-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/3512-249-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/3512-238-0x0000000007240000-0x0000000007272000-memory.dmp

Filesize
200KB

Download
memory/3512-250-0x0000000007480000-0x0000000007523000-memory.dmp

Filesize
652KB

Download
memory/3512-332-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/3512-331-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/3512-239-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/3616-292-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/3876-311-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download
memory/4424-270-0x0000000071B10000-0x0000000071B5C000-memory.dmp

Filesize
304KB

Download