dcrat | 94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Size

1.7MB
MD5

64f23bf509820aaebdd17acf6ee2215f
SHA1

98a5be357387e3951149c993b0fc3e8753a57709
SHA256

94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1
SHA512

cd068260c8ba60ef50f461677141872f79e3f13c14977bba519a57848f3ec96af4823955f28c7cf0d1ce362f145d59284e6e2a71f33897f7f818eb44c7564f29
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	1072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1072	schtasks.exe	82

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/868-1-0x00000000001C0000-0x0000000000380000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b78-30.dat	dcrat
behavioral2/files/0x0032000000023b72-90.dat	dcrat
behavioral2/files/0x000200000001e764-112.dat	dcrat
behavioral2/files/0x0010000000023b8d-135.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4600	powershell.exe
936	powershell.exe
2080	powershell.exe
2356	powershell.exe
876	powershell.exe
4496	powershell.exe
4624	powershell.exe
4484	powershell.exe
832	powershell.exe
2292	powershell.exe
2848	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 9 IoCs

pid	Process
1032	dllhost.exe
1300	dllhost.exe
2300	dllhost.exe
3688	dllhost.exe
1720	dllhost.exe
4964	dllhost.exe
936	dllhost.exe
852	dllhost.exe
5084	dllhost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCX9480.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\VideoLAN\VLC\skins\9e8d7a4ca61bd9	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX860D.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\e1ef82546f0b02	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX8823.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX9066.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX9703.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\5940a34987c991	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX860C.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX8822.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5940a34987c991	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX8FE8.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCX94FE.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX9702.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\RCX8AA4.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\Fonts\RCX8B22.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\servicing\ja-JP\StartMenuExperienceHost.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\Fonts\csrss.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\Fonts\886983d96e3d3e	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2984	schtasks.exe
224	schtasks.exe
3368	schtasks.exe
1688	schtasks.exe
4456	schtasks.exe
3016	schtasks.exe
2960	schtasks.exe
1152	schtasks.exe
3120	schtasks.exe
4872	schtasks.exe
4084	schtasks.exe
2728	schtasks.exe
4328	schtasks.exe
2820	schtasks.exe
3468	schtasks.exe
5016	schtasks.exe
3452	schtasks.exe
3704	schtasks.exe
3728	schtasks.exe
692	schtasks.exe
4040	schtasks.exe
2028	schtasks.exe
5092	schtasks.exe
3028	schtasks.exe
4700	schtasks.exe
3956	schtasks.exe
1084	schtasks.exe
3176	schtasks.exe
4080	schtasks.exe
4608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
832	powershell.exe
832	powershell.exe
936	powershell.exe
936	powershell.exe
2292	powershell.exe
2292	powershell.exe
2080	powershell.exe
2080	powershell.exe
876	powershell.exe
876	powershell.exe
4624	powershell.exe
2356	powershell.exe
2356	powershell.exe
4624	powershell.exe
2848	powershell.exe
2848	powershell.exe
4484	powershell.exe
4484	powershell.exe
4496	powershell.exe
4496	powershell.exe
2356	powershell.exe
832	powershell.exe
2080	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1032	dllhost.exe
Token: SeDebugPrivilege	1300	dllhost.exe
Token: SeDebugPrivilege	2300	dllhost.exe
Token: SeDebugPrivilege	3688	dllhost.exe
Token: SeDebugPrivilege	1720	dllhost.exe
Token: SeDebugPrivilege	4964	dllhost.exe
Token: SeDebugPrivilege	936	dllhost.exe
Token: SeDebugPrivilege	852	dllhost.exe
Token: SeDebugPrivilege	5084	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2848	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	116
PID 868 wrote to memory of 2848	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	116
PID 868 wrote to memory of 2292	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	117
PID 868 wrote to memory of 2292	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	117
PID 868 wrote to memory of 876	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	118
PID 868 wrote to memory of 876	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	118
PID 868 wrote to memory of 832	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	119
PID 868 wrote to memory of 832	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	119
PID 868 wrote to memory of 2356	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	120
PID 868 wrote to memory of 2356	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	120
PID 868 wrote to memory of 2080	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	121
PID 868 wrote to memory of 2080	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	121
PID 868 wrote to memory of 936	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	122
PID 868 wrote to memory of 936	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	122
PID 868 wrote to memory of 4484	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	123
PID 868 wrote to memory of 4484	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	123
PID 868 wrote to memory of 4624	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	124
PID 868 wrote to memory of 4624	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	124
PID 868 wrote to memory of 4600	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	125
PID 868 wrote to memory of 4600	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	125
PID 868 wrote to memory of 4496	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	126
PID 868 wrote to memory of 4496	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	126
PID 868 wrote to memory of 2560	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	137
PID 868 wrote to memory of 2560	868	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	137
PID 2560 wrote to memory of 4684	2560	cmd.exe	140
PID 2560 wrote to memory of 4684	2560	cmd.exe	140
PID 2560 wrote to memory of 1032	2560	cmd.exe	144
PID 2560 wrote to memory of 1032	2560	cmd.exe	144
PID 1032 wrote to memory of 4596	1032	dllhost.exe	145
PID 1032 wrote to memory of 4596	1032	dllhost.exe	145
PID 1032 wrote to memory of 3708	1032	dllhost.exe	146
PID 1032 wrote to memory of 3708	1032	dllhost.exe	146
PID 4596 wrote to memory of 1300	4596	WScript.exe	149
PID 4596 wrote to memory of 1300	4596	WScript.exe	149
PID 1300 wrote to memory of 4864	1300	dllhost.exe	150
PID 1300 wrote to memory of 4864	1300	dllhost.exe	150
PID 1300 wrote to memory of 1908	1300	dllhost.exe	151
PID 1300 wrote to memory of 1908	1300	dllhost.exe	151
PID 4864 wrote to memory of 2300	4864	WScript.exe	152
PID 4864 wrote to memory of 2300	4864	WScript.exe	152
PID 2300 wrote to memory of 956	2300	dllhost.exe	153
PID 2300 wrote to memory of 956	2300	dllhost.exe	153
PID 2300 wrote to memory of 2972	2300	dllhost.exe	154
PID 2300 wrote to memory of 2972	2300	dllhost.exe	154
PID 956 wrote to memory of 3688	956	WScript.exe	155
PID 956 wrote to memory of 3688	956	WScript.exe	155
PID 3688 wrote to memory of 2724	3688	dllhost.exe	156
PID 3688 wrote to memory of 2724	3688	dllhost.exe	156
PID 3688 wrote to memory of 1124	3688	dllhost.exe	157
PID 3688 wrote to memory of 1124	3688	dllhost.exe	157
PID 2724 wrote to memory of 1720	2724	WScript.exe	158
PID 2724 wrote to memory of 1720	2724	WScript.exe	158
PID 1720 wrote to memory of 3212	1720	dllhost.exe	159
PID 1720 wrote to memory of 3212	1720	dllhost.exe	159
PID 1720 wrote to memory of 4100	1720	dllhost.exe	160
PID 1720 wrote to memory of 4100	1720	dllhost.exe	160
PID 3212 wrote to memory of 4964	3212	WScript.exe	161
PID 3212 wrote to memory of 4964	3212	WScript.exe	161
PID 4964 wrote to memory of 3196	4964	dllhost.exe	162
PID 4964 wrote to memory of 3196	4964	dllhost.exe	162
PID 4964 wrote to memory of 1360	4964	dllhost.exe	163
PID 4964 wrote to memory of 1360	4964	dllhost.exe	163
PID 3196 wrote to memory of 936	3196	WScript.exe	164
PID 3196 wrote to memory of 936	3196	WScript.exe	164

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
"C:\Users\Admin\AppData\Local\Temp\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbUpz34cjT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4684
- - C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
    "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0bfe5f-3e33-4abb-8c3f-12bcd33cdf69.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d114e8b8-e282-41df-9973-841627cfed64.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55d75737-6df4-4838-97cd-db6a644de8f8.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\595b4878-e4c7-4764-bd9c-9febc746be49.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\971863eb-03a6-4fa1-8e17-6cfe1c02e850.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7953b2c7-acbb-4951-a1f7-51f39030f2c9.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\752cbc0f-9295-4cbf-9171-df827f6d4055.vbs"
        16⤵
        
        PID:2896
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48be6a48-0841-4cfe-bdc2-aa2538b0f324.vbs"
        18⤵
        
        PID:1496
        
        C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aea8139-74af-448e-8f95-da55782223c9.vbs"
        18⤵
        
        PID:4232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7b45870-7113-45a4-ab4f-eabb814d9c74.vbs"
        16⤵
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cbce323-d957-4257-9f97-3d69f9461d2d.vbs"
        14⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a622778-039a-4148-a921-549e213be56b.vbs"
        12⤵
        
        PID:4100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d30fcdc8-5ba2-402e-a75f-86202de658bf.vbs"
        10⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5857c17f-abfc-4625-9dc4-18a9d346fab6.vbs"
        8⤵
        
        PID:2972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a9076e-0ebc-42a9-9d64-de512dea863c.vbs"
        6⤵
        
        PID:1908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b29a684-32b3-419a-a7fe-e283e018a2d6.vbs"
      4⤵
      PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe

Filesize
1.7MB

MD5
2461574a06715d75f751ae452ef7f723

SHA1
6655b4f497c42650e97c2001f4bfa5eb125418ed

SHA256
d70c5f5753ef50443a5811b81e35934c1343f6c323eb69279115f1c62b10eda7

SHA512
14e3188a75c2bbaf9e43b24720865a6e633a9d59e9957de9bed5efd86434742e60ea05d4cd272255d45498f7f90133300858417ebbf477074106c6890b01f27b

Download Submit
C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe

Filesize
1.7MB

MD5
10cbd88751434272f416a837a2feb59f

SHA1
9bdc52ece26c1950a16d97d5ca87422c8ee81985

SHA256
533509d64c58bc19e5b22b4d07794ef450cadf36161b83e7de4592542c5274cf

SHA512
ec566aa9c4b2ab982d7f8707d07490bd88bb5f2630f78087a6eb76d7a2a51688b03258c3a0ccf8c3a70d3249e684909cb28806d96602f0d6774d1e1832c23e8d

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.7MB

MD5
64f23bf509820aaebdd17acf6ee2215f

SHA1
98a5be357387e3951149c993b0fc3e8753a57709

SHA256
94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1

SHA512
cd068260c8ba60ef50f461677141872f79e3f13c14977bba519a57848f3ec96af4823955f28c7cf0d1ce362f145d59284e6e2a71f33897f7f818eb44c7564f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b29a684-32b3-419a-a7fe-e283e018a2d6.vbs

Filesize
513B

MD5
793a68f2b28e24f8c797b3744f4dbe76

SHA1
9ba6b6a95db758ed83428ca3653c6a8bd71f7542

SHA256
82c3f2349a1a86859a9ea7af1aaf2da05b553cca8dd72aa972d67c184101f55d

SHA512
e65b91335a982462cbcab7cfc3689f62e354d44e50cf750e992eb7dc3352fd3b241fe40c900a52dca04048a832a9a9474847a6062b23db5e24f8195c4f7f4928

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be6a48-0841-4cfe-bdc2-aa2538b0f324.vbs

Filesize
736B

MD5
5a00c5a7ffcb43fee1c3df7c9ee6826c

SHA1
efe69dea353a6591e0a92876835e42276738310d

SHA256
0965cb96e28dd5fff998e71aab77fa14fcb3ba23e2b03c5c0526a9e89fc6c946

SHA512
3ef530859db402089c8b3e934fe0432f00fe3d71b332f2a6dd472316cbb95d9105c9392fe10e3987740ca5ed25cdcfeb75395024d26186e50a9f4dfc56f3d46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\55d75737-6df4-4838-97cd-db6a644de8f8.vbs

Filesize
737B

MD5
a6d864d41b41c30722207a52ab798046

SHA1
fa344bc7358844378e75cc42d4bc987d2970cfde

SHA256
d18778bffc584f3a6e99d70fc4ab7f6bd23a93cf82c115619c180f4813d4815f

SHA512
6c983baf933ad3c4ea239a98c7cfaca8da92a55d65a4c4cd4c5d09a0d51a7a8f606a2717f630f55d5f594b6b093c6c742b57a2e54df364699662bdf8a72af328

Download Submit
C:\Users\Admin\AppData\Local\Temp\595b4878-e4c7-4764-bd9c-9febc746be49.vbs

Filesize
737B

MD5
fcb2ad16eca87e988d1fcc3b76ccc591

SHA1
1600f196908ae69e108d29c0850f442dd04482ca

SHA256
031770850bac21e1d30506f301db61f3b5f2d20ab9adf5540e48a73e3f23b4ee

SHA512
bac5ed31f7d4400704942f61f3f6ad77ff1f271c79b8832fb0f76c7397700c4858bc66436cb81643511ea03744edee4b25701a3d9e91a0257a3ec88f619d9d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b0bfe5f-3e33-4abb-8c3f-12bcd33cdf69.vbs

Filesize
737B

MD5
1ab590228057ccd73ff40857a190b1c7

SHA1
24a2676b459c5be010fa6b7342b98b9c18d6c66d

SHA256
96700305a8e2830ac9fb9a2450177dc919692d3749ee27da83747d83bb86ddaf

SHA512
0dad78ef0dc47a15eacb7d8d3cc18f35e2cbef7cad59b7c20358a5fb12cd9aed79f41739d63350da37fcd8603426de1278a3ce6955eec2b6001b071987cf127e

Download Submit
C:\Users\Admin\AppData\Local\Temp\752cbc0f-9295-4cbf-9171-df827f6d4055.vbs

Filesize
736B

MD5
b1fc0b0e1af022303aa5f862c933837f

SHA1
71262bffedb3b953d3b9cf5a8cda470e7ac28430

SHA256
eab6885b2416bb795dcc31ba8c88584718b825e35901d2a44a2c97b32caca51d

SHA512
d2776ab67bcad7d1bde010254731379584fd5590cfd9d08d5b876f2cb3db5d81521a5ccaaf0f334aa7b5ebbbdecaa7368604b63c19cd3cef007583d5773a34e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7953b2c7-acbb-4951-a1f7-51f39030f2c9.vbs

Filesize
737B

MD5
debac4c990c0667462d57c39d061ac3e

SHA1
9a49424d8c64b2beb858d8fb0c1ddb023ab3a2de

SHA256
512ce71b5197b00764afbfc8952ef37f0d7331139b11af272f7e0451a6b3ced5

SHA512
da6d0ea952ce40b8a06cb3ce7ae267f83822c772cc0e762d37f5f2f27c36d0ac75e69ed792bed7cff1547e579c73b2f88f978a5194ce98e88af63d5e3ee9b9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\971863eb-03a6-4fa1-8e17-6cfe1c02e850.vbs

Filesize
737B

MD5
9cac7327bf38ddab5feaa9ca1a2b0ddc

SHA1
dcaa6e979571a3d083b28a17fa61bce353f737e9

SHA256
7c7a31619fb8c18c87a53b96aa38ee36695fe89638d4af763d8ee98c6e4a6657

SHA512
3a4b1a8c5cb1059870a01fef44d02bef3547f60d73f929644b05ec47670a2f55f9674e276079e6a6522d9e90a3cfefe359c685c34bcbe2f4c8d2e6bf8dc5fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpx1ak2h.w1a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbUpz34cjT.bat

Filesize
226B

MD5
2d82e4af5c13e5bbf54d29980721ea68

SHA1
07e91becf751aff2691a9829889b191446252ffb

SHA256
68610a490826a5a9ca137ae6222c94cc1b17f409612c12368a21669830bd9326

SHA512
cd53ee940b74b33decce751557308815ed418fef4c64b11608b17f0cafbc5d41b6a4bd78d4a076488c44249b6b468bdbaf5a8f1b799a07a5599f847fff9f86a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d114e8b8-e282-41df-9973-841627cfed64.vbs

Filesize
737B

MD5
07fea09d0fbdf915d000722a520735d0

SHA1
c14d8c6f6975daf1c072532ce0e87912d7d5db0a

SHA256
c73f2564b319f284fa6f15b02581592565501ab2a8b98087c33488418beb1471

SHA512
25301410a78669e14b65175e84afebc4a5710ab0a8227076150dcbaa32b827a528b3aeb1fe31194a191d8c7ddb2c103e55bab171a685cde735d4bce48f888b73

Download Submit
C:\Windows\Fonts\csrss.exe

Filesize
1.7MB

MD5
550b8956d52535fb86329fb902d434dc

SHA1
8b6889047267cffd43f231566c812f63cbf8fd8f

SHA256
262f21b24cb819829456f16a50f7b092e3c2cae9a82bc294c22ddcd3c47a789f

SHA512
a28994c52b87d53fee30c54a92ff821e11013f9f0ac1dd278549ac88470288116e79c4f96a28a4d14319e8d16008cb904d10172c65dab4f6b69757a843279110

Download Submit
memory/832-178-0x00000297C4040000-0x00000297C4062000-memory.dmp

Filesize
136KB

Download
memory/868-13-0x000000001BBC0000-0x000000001C0E8000-memory.dmp

Filesize
5.2MB

Download
memory/868-1-0x00000000001C0000-0x0000000000380000-memory.dmp

Filesize
1.8MB

Download
memory/868-14-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/868-150-0x00007FF916683000-0x00007FF916685000-memory.dmp

Filesize
8KB

Download
memory/868-168-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/868-0-0x00007FF916683000-0x00007FF916685000-memory.dmp

Filesize
8KB

Download
memory/868-15-0x000000001B910000-0x000000001B91A000-memory.dmp

Filesize
40KB

Download
memory/868-17-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

Filesize
32KB

Download
memory/868-18-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/868-12-0x000000001B660000-0x000000001B672000-memory.dmp

Filesize
72KB

Download
memory/868-20-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/868-19-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/868-16-0x000000001B920000-0x000000001B92E000-memory.dmp

Filesize
56KB

Download
memory/868-10-0x000000001B650000-0x000000001B658000-memory.dmp

Filesize
32KB

Download
memory/868-9-0x000000001B5F0000-0x000000001B5FC000-memory.dmp

Filesize
48KB

Download
memory/868-8-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

Filesize
64KB

Download
memory/868-7-0x000000001B5C0000-0x000000001B5D6000-memory.dmp

Filesize
88KB

Download
memory/868-5-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/868-6-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

Filesize
64KB

Download
memory/868-4-0x000000001B600000-0x000000001B650000-memory.dmp

Filesize
320KB

Download
memory/868-3-0x000000001AE70000-0x000000001AE8C000-memory.dmp

Filesize
112KB

Download
memory/868-2-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/868-23-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download