dcrat | 97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3e

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
Size

1.7MB
MD5

f8d95a8e29563bbdfe9bd258da9b8da0
SHA1

65a0879ce2667b911c2208c29aafaec6be143ac7
SHA256

97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3e
SHA512

7e6e78bf6d5fcc29f3f373a511da1e44a393b5ff9dab787c7935cf815f189abfaca78239b66c156de9cdccbf97f32c2439cf29ca295316e41ee3cc1b7633bdde
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1148	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	1148	schtasks.exe	82

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/64-1-0x0000000000120000-0x00000000002E0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b98-30.dat	dcrat
behavioral2/files/0x000800000001e72a-105.dat	dcrat
behavioral2/files/0x0010000000023bca-126.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
636	powershell.exe
1016	powershell.exe
4292	powershell.exe
2592	powershell.exe
4348	powershell.exe
2216	powershell.exe
2864	powershell.exe
2964	powershell.exe
4212	powershell.exe
4872	powershell.exe
2100	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 7 IoCs

pid	Process
3440	fontdrvhost.exe
1108	fontdrvhost.exe
2592	fontdrvhost.exe
3948	fontdrvhost.exe
3364	fontdrvhost.exe
3224	fontdrvhost.exe
4044	fontdrvhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\sysmon.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\121e5b5079f7c0	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\RCXB75E.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\RCXB75F.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\sysmon.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\6203df4a6bafc7	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\PrintDialog\RCXA9C7.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\twain_32\RCXAE7E.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\ModemLogs\RCXB549.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\ModemLogs\explorer.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\PrintDialog\lsass.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\twain_32\TextInputHost.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\twain_32\22eafd247d37c3	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXA369.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\PrintDialog\RCXAA45.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\PrintDialog\lsass.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\ModemLogs\RCXB548.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\diagnostics\scheduled\fontdrvhost.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\Boot\PCAT\es-MX\SppExtComObj.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXA368.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\twain_32\RCXAF0C.tmp	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\ModemLogs\7a0fd90576e088	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\Downloaded Program Files\csrss.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File opened for modification	C:\Windows\twain_32\TextInputHost.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
File created	C:\Windows\ModemLogs\explorer.exe	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3936	schtasks.exe
4608	schtasks.exe
2908	schtasks.exe
3552	schtasks.exe
1340	schtasks.exe
4884	schtasks.exe
3204	schtasks.exe
3040	schtasks.exe
2780	schtasks.exe
2572	schtasks.exe
2012	schtasks.exe
3020	schtasks.exe
2928	schtasks.exe
3664	schtasks.exe
4304	schtasks.exe
1996	schtasks.exe
3172	schtasks.exe
2548	schtasks.exe
3680	schtasks.exe
444	schtasks.exe
3292	schtasks.exe
4892	schtasks.exe
2840	schtasks.exe
3908	schtasks.exe
2108	schtasks.exe
1736	schtasks.exe
1364	schtasks.exe
4876	schtasks.exe
2752	schtasks.exe
704	schtasks.exe
5084	schtasks.exe
4232	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
2864	powershell.exe
2864	powershell.exe
2100	powershell.exe
2100	powershell.exe
2592	powershell.exe
2592	powershell.exe
4212	powershell.exe
4212	powershell.exe
2964	powershell.exe
2964	powershell.exe
4292	powershell.exe
4292	powershell.exe
4348	powershell.exe
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	3440	fontdrvhost.exe
Token: SeDebugPrivilege	1108	fontdrvhost.exe
Token: SeDebugPrivilege	2592	fontdrvhost.exe
Token: SeDebugPrivilege	3948	fontdrvhost.exe
Token: SeDebugPrivilege	3364	fontdrvhost.exe
Token: SeDebugPrivilege	3224	fontdrvhost.exe
Token: SeDebugPrivilege	4044	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 1016	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	120
PID 64 wrote to memory of 1016	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	120
PID 64 wrote to memory of 4212	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	121
PID 64 wrote to memory of 4212	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	121
PID 64 wrote to memory of 4292	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	122
PID 64 wrote to memory of 4292	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	122
PID 64 wrote to memory of 2592	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	123
PID 64 wrote to memory of 2592	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	123
PID 64 wrote to memory of 4872	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	124
PID 64 wrote to memory of 4872	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	124
PID 64 wrote to memory of 4348	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	125
PID 64 wrote to memory of 4348	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	125
PID 64 wrote to memory of 2216	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	126
PID 64 wrote to memory of 2216	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	126
PID 64 wrote to memory of 2864	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	127
PID 64 wrote to memory of 2864	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	127
PID 64 wrote to memory of 2100	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	128
PID 64 wrote to memory of 2100	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	128
PID 64 wrote to memory of 2964	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	129
PID 64 wrote to memory of 2964	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	129
PID 64 wrote to memory of 636	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	130
PID 64 wrote to memory of 636	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	130
PID 64 wrote to memory of 3440	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	142
PID 64 wrote to memory of 3440	64	97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe	142
PID 3440 wrote to memory of 880	3440	fontdrvhost.exe	145
PID 3440 wrote to memory of 880	3440	fontdrvhost.exe	145
PID 3440 wrote to memory of 1628	3440	fontdrvhost.exe	146
PID 3440 wrote to memory of 1628	3440	fontdrvhost.exe	146
PID 880 wrote to memory of 1108	880	WScript.exe	147
PID 880 wrote to memory of 1108	880	WScript.exe	147
PID 1108 wrote to memory of 1640	1108	fontdrvhost.exe	148
PID 1108 wrote to memory of 1640	1108	fontdrvhost.exe	148
PID 1108 wrote to memory of 1252	1108	fontdrvhost.exe	149
PID 1108 wrote to memory of 1252	1108	fontdrvhost.exe	149
PID 1640 wrote to memory of 2592	1640	WScript.exe	152
PID 1640 wrote to memory of 2592	1640	WScript.exe	152
PID 2592 wrote to memory of 4212	2592	fontdrvhost.exe	153
PID 2592 wrote to memory of 4212	2592	fontdrvhost.exe	153
PID 2592 wrote to memory of 3540	2592	fontdrvhost.exe	154
PID 2592 wrote to memory of 3540	2592	fontdrvhost.exe	154
PID 4212 wrote to memory of 3948	4212	WScript.exe	155
PID 4212 wrote to memory of 3948	4212	WScript.exe	155
PID 3948 wrote to memory of 2212	3948	fontdrvhost.exe	156
PID 3948 wrote to memory of 2212	3948	fontdrvhost.exe	156
PID 3948 wrote to memory of 3300	3948	fontdrvhost.exe	157
PID 3948 wrote to memory of 3300	3948	fontdrvhost.exe	157
PID 2212 wrote to memory of 3364	2212	WScript.exe	158
PID 2212 wrote to memory of 3364	2212	WScript.exe	158
PID 3364 wrote to memory of 4552	3364	fontdrvhost.exe	159
PID 3364 wrote to memory of 4552	3364	fontdrvhost.exe	159
PID 3364 wrote to memory of 3612	3364	fontdrvhost.exe	160
PID 3364 wrote to memory of 3612	3364	fontdrvhost.exe	160
PID 4552 wrote to memory of 3224	4552	WScript.exe	161
PID 4552 wrote to memory of 3224	4552	WScript.exe	161
PID 3224 wrote to memory of 4876	3224	fontdrvhost.exe	162
PID 3224 wrote to memory of 4876	3224	fontdrvhost.exe	162
PID 3224 wrote to memory of 3204	3224	fontdrvhost.exe	163
PID 3224 wrote to memory of 3204	3224	fontdrvhost.exe	163
PID 4876 wrote to memory of 4044	4876	WScript.exe	164
PID 4876 wrote to memory of 4044	4876	WScript.exe	164
PID 4044 wrote to memory of 3956	4044	fontdrvhost.exe	165
PID 4044 wrote to memory of 3956	4044	fontdrvhost.exe	165
PID 4044 wrote to memory of 840	4044	fontdrvhost.exe	166
PID 4044 wrote to memory of 840	4044	fontdrvhost.exe	166

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe
"C:\Users\Admin\AppData\Local\Temp\97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3eN.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:636
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dbd35a4-9b22-4552-a7d6-ed7c4c557cfb.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7d4bf9-23b6-40e0-a6d5-a05a075a54be.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdc3db39-3e44-4fa2-92e8-5d52f49ca68b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c0fd461-888c-43a1-bee2-4f63ebe5df65.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f42841-20c2-444e-82c4-057b5d2fb1ed.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f885d285-7fc3-4db6-8552-81b0cfa6cafa.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ee624f-44a8-4918-aba2-645b60722ca6.vbs"
        15⤵
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0a0908b-2227-4433-a7e0-80bb02e6a8bc.vbs"
        15⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edb53d17-76dc-4b86-9715-f3debe82eb2d.vbs"
        13⤵
        
        PID:3204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210ed018-3695-48a3-8f52-faeb9c34992f.vbs"
        11⤵
        
        PID:3612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b92d2b-3f84-468a-aced-4607aa0b8f44.vbs"
        9⤵
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9574b9-793c-427e-bc27-e1558bff4af3.vbs"
        7⤵
        
        PID:3540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bd448da-cc9f-41d2-81be-ee0b52a88bbc.vbs"
        5⤵
        
        PID:1252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07dd728c-3e49-4659-b488-5b033c0aa1a0.vbs"
    3⤵
    PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\PrintDialog\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\twain_32\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ModemLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\07dd728c-3e49-4659-b488-5b033c0aa1a0.vbs

Filesize
489B

MD5
90c41c971cd503e82839e243b2b2a518

SHA1
7cfaa56d2d316cb4250f77f9f3c31a7805f2e53b

SHA256
56b4c604ccb01a37a71b9e7d237cb1e18a5cfaa9f308f2196f31cfdd1334153a

SHA512
db339b0ea4aa4819fbc014b87c3b9f0c5a12995a52956c83754ecd6d8d9cf55bf538cbe852b0f7809423728c549f4586bb3ec77a951e62adb1d3450a0bc9f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\23ee624f-44a8-4918-aba2-645b60722ca6.vbs

Filesize
713B

MD5
39895e3af7265f0fa428b8d468f9e6fc

SHA1
13eda315911c7b970df9fa54aff5b277ffda94e3

SHA256
34aede954e091a8958e435e2a7ecbdc683e2d74959a5877a9c4ef9766e13f065

SHA512
e0a979df9eb79a459d8937e4022e8e7654a03fe3996afc2b97cec3680266c38af36193574ae59e6ab375330725fa8be4466bf94dc1afb961322f95a99325301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c0fd461-888c-43a1-bee2-4f63ebe5df65.vbs

Filesize
713B

MD5
4e172114a321dd6a072058d300906788

SHA1
703bb64169ff5f7f4e62c0047f551a43b2e1962d

SHA256
86a47b22c2d39b6d21871dd9dcf027b6f1e8a4ef128cf1928a18791c5cfad61b

SHA512
7c3118e13816625c521a3c38fba9188029054e0031b9543243d0c36ca4c33829c870afbc5c309fae6a4992288fcad5f6fe4d87676513e42c589ff6edf23db776

Download Submit
C:\Users\Admin\AppData\Local\Temp\77f42841-20c2-444e-82c4-057b5d2fb1ed.vbs

Filesize
713B

MD5
e3950c34387ffea06a2c0fa0c529b81d

SHA1
3d47829ed9c53f6d5e8e0fc163ec2f08b9017eba

SHA256
2cdb321636f930e3cbb9324459fe11c058c410409e0dc0dd86016928b2858cfa

SHA512
45ee2c0efd854cbff18abc980da241c6d7f8f8559cfd12febff258d1287adb6418f96afd98dcd7b13f39b7a5903214ff507c4758465dc17684ba4bc9f0e1d3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbd35a4-9b22-4552-a7d6-ed7c4c557cfb.vbs

Filesize
713B

MD5
97639cb0626309c9476ab3ecb11666db

SHA1
ad2cddeee62d06494563fbfec40bff03e59fb0e0

SHA256
c51bbd382e1c706b75eb68542e029f2136c0c1b422bf09f7188cedfbb5d3f3ab

SHA512
1ecb07857a1f86df8ae53eca7e780a336a1f7053d38fbf6e1ec086a08ad8ef475db7d8f4c31451b4d228e7766253777f5f7969da87c630911acc723d9a4fa5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrj1css3.0pd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f885d285-7fc3-4db6-8552-81b0cfa6cafa.vbs

Filesize
713B

MD5
bef7d6e273887e3c81f8c8ef99ba2b4d

SHA1
df1cd3020eecbae77bcef3c84b82e4cc75fac0e1

SHA256
633a95594599035b6eb26d076d5d630ec91159e61e3fb049995e78354f0be252

SHA512
818007d325e479848a81a03059a7a8d738f7cb22e19bab7f5f5993b1bef8c136904a868e3edf0b1bf2eb6c252dc31fb5b55160f61f2b806bce583f7f46a3aef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc7d4bf9-23b6-40e0-a6d5-a05a075a54be.vbs

Filesize
713B

MD5
b492178bf43b2d51bbb86f88d77b05ac

SHA1
6b017edf301aa1784b0b02e6c6d0027bbdafca22

SHA256
93a775c223a2663fa25195e90a3d3157dec7c8cd70212787fb7c618d9e95e011

SHA512
2ae0e8537bafcb607b4afd50f4a6e8c9d69a29afc216d43b25b26cd9ca91dd1238c4db3e06ee3916a52071fd614504d3de407ad5e31c50172f4453db29f30145

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdc3db39-3e44-4fa2-92e8-5d52f49ca68b.vbs

Filesize
713B

MD5
4d75c7a13ac98189b743d3ea825a1904

SHA1
83fe5892b08b55724d133b497a65c714df7b698a

SHA256
253f328a220a0a1368d45f2b04865c4c4a57ac77981d04fbc5f2583f2fd33bb5

SHA512
7d07d79fc8e0749b251f4a136f583d7a4d2b1db86b62cac9ff8de84f8b9aef4744347cc8d13c600e4a901606949f1a401c5ba84b9fa5a0c821751195232f678f

Download Submit
C:\Windows\PrintDialog\lsass.exe

Filesize
1.7MB

MD5
84f80fd789246b29bad7599f810bc774

SHA1
e997db4a395b4d0667e85032ff62e8a8a908c10e

SHA256
1d47045478ac8e39c6fc3a5674528fa4533277dae04d8fe3bb2b42379d0285f1

SHA512
8b5186cf49d45516645b6fa1b867f75b8fefe61866c36f553568129890d58a6a4f85864b9171ef969504057c9159e271a6baa1f935ba4c3b41757e4fe7d84b35

Download Submit
C:\Windows\PrintDialog\lsass.exe

Filesize
1.7MB

MD5
f8d95a8e29563bbdfe9bd258da9b8da0

SHA1
65a0879ce2667b911c2208c29aafaec6be143ac7

SHA256
97e69e5c30e097e9634b010db2332ec53b7f81348d8d0edf429215ed265fda3e

SHA512
7e6e78bf6d5fcc29f3f373a511da1e44a393b5ff9dab787c7935cf815f189abfaca78239b66c156de9cdccbf97f32c2439cf29ca295316e41ee3cc1b7633bdde

Download Submit
C:\Windows\twain_32\TextInputHost.exe

Filesize
1.7MB

MD5
85c325b4ab3bccfd166530e47f2f7c00

SHA1
873a597f6f753201146bf1234bada9934343705b

SHA256
d7082591fc31c3cd68f67c8b56abc5eb0c347a2f7613000a6478e71618bcbf5f

SHA512
940eba2012832cec9a4395b70d5fd0dd7605b2bd21b397afd4eb97688b6d70113c2f46e17e42b42bac913ce6c983fe026fe8c7ec41c048fb25319a1b78438a52

Download Submit
memory/64-13-0x000000001BC10000-0x000000001C138000-memory.dmp

Filesize
5.2MB

Download
memory/64-14-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/64-22-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-15-0x0000000002510000-0x000000000251A000-memory.dmp

Filesize
40KB

Download
memory/64-16-0x0000000002530000-0x000000000253E000-memory.dmp

Filesize
56KB

Download
memory/64-131-0x00007FFCE6AF3000-0x00007FFCE6AF5000-memory.dmp

Filesize
8KB

Download
memory/64-146-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-219-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-19-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/64-1-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download
memory/64-318-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-323-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-2-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-17-0x0000000002540000-0x0000000002548000-memory.dmp

Filesize
32KB

Download
memory/64-18-0x0000000002550000-0x000000000255C000-memory.dmp

Filesize
48KB

Download
memory/64-23-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-0-0x00007FFCE6AF3000-0x00007FFCE6AF5000-memory.dmp

Filesize
8KB

Download
memory/64-12-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/64-10-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/64-9-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/64-5-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/64-3-0x0000000000C00000-0x0000000000C1C000-memory.dmp

Filesize
112KB

Download
memory/64-7-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/64-8-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/64-6-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/64-4-0x0000000002490000-0x00000000024E0000-memory.dmp

Filesize
320KB

Download
memory/1108-358-0x000000001B1B0000-0x000000001B1C2000-memory.dmp

Filesize
72KB

Download
memory/2100-230-0x0000021A6D9E0000-0x0000021A6DA02000-memory.dmp

Filesize
136KB

Download
memory/3440-326-0x000000001B8C0000-0x000000001B8D2000-memory.dmp

Filesize
72KB

Download