dcrat | 45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
Size

1.7MB
MD5

d6ece0dfc8c9c95e0cc2851ee372405d
SHA1

2fd8432db75562aa867903b69f1e2c36bbac5fab
SHA256

45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d
SHA512

b9e47c3073a8d2dac54f6937491bc55a4c25c23066bbd08d8f5e5203258684ea17d6a3b65c45174c5a8426422c30422dd8773ee560f3fd874cd1a363f2336b27
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKva:+THUxUoh1IF9gl2Z

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	1172	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1172	schtasks.exe	82

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1100-1-0x0000000000E60000-0x0000000001020000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b87-30.dat	dcrat
behavioral2/files/0x000d000000023b90-59.dat	dcrat
behavioral2/files/0x000c000000023b7e-93.dat	dcrat
behavioral2/memory/4484-253-0x0000000000880000-0x0000000000A40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
2800	powershell.exe
4324	powershell.exe
2200	powershell.exe
4448	powershell.exe
3148	powershell.exe
1136	powershell.exe
2964	powershell.exe
3200	powershell.exe
872	powershell.exe
4960	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 10 IoCs

pid	Process
4484	spoolsv.exe
3724	spoolsv.exe
3300	spoolsv.exe
4696	spoolsv.exe
632	spoolsv.exe
3472	spoolsv.exe
4416	spoolsv.exe
4560	spoolsv.exe
2572	spoolsv.exe
3544	spoolsv.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\MusNotification.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Windows Mail\RCX801F.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Windows Mail\RCX802F.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX894E.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX89CC.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files\Windows Mail\SppExtComObj.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Program Files\Windows Mail\SppExtComObj.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Program Files (x86)\Google\Update\def40585f76b1f	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\f3b6ecef712a24	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Windows\Branding\Basebrd\it-IT\winlogon.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\55b276f4edf653	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\RCX873A.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\winlogon.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RCX8BF1.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\StartMenuExperienceHost.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Windows\es-ES\spoolsv.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\es-ES\RCX8234.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Windows\Branding\Basebrd\it-IT\cc11b995f2a76d	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\StartMenuExperienceHost.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\es-ES\spoolsv.exe	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\RCX8739.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\es-ES\RCX82B2.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RCX8BF0.tmp	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2212	schtasks.exe
3676	schtasks.exe
1184	schtasks.exe
4556	schtasks.exe
1168	schtasks.exe
3836	schtasks.exe
1440	schtasks.exe
1928	schtasks.exe
3124	schtasks.exe
776	schtasks.exe
4116	schtasks.exe
5024	schtasks.exe
3216	schtasks.exe
1320	schtasks.exe
2424	schtasks.exe
1924	schtasks.exe
2344	schtasks.exe
4728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
3200	powershell.exe
3200	powershell.exe
4324	powershell.exe
4324	powershell.exe
1136	powershell.exe
1136	powershell.exe
3148	powershell.exe
3148	powershell.exe
4448	powershell.exe
4448	powershell.exe
2200	powershell.exe
2200	powershell.exe
872	powershell.exe
872	powershell.exe
2964	powershell.exe
2964	powershell.exe
4960	powershell.exe
4960	powershell.exe
1044	powershell.exe
1044	powershell.exe
2800	powershell.exe
2800	powershell.exe
2964	powershell.exe
2800	powershell.exe
4960	powershell.exe
3200	powershell.exe
4324	powershell.exe
1136	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	4484	spoolsv.exe
Token: SeDebugPrivilege	3724	spoolsv.exe
Token: SeDebugPrivilege	3300	spoolsv.exe
Token: SeDebugPrivilege	4696	spoolsv.exe
Token: SeDebugPrivilege	632	spoolsv.exe
Token: SeDebugPrivilege	3472	spoolsv.exe
Token: SeDebugPrivilege	4416	spoolsv.exe
Token: SeDebugPrivilege	4560	spoolsv.exe
Token: SeDebugPrivilege	2572	spoolsv.exe
Token: SeDebugPrivilege	3544	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1044	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	101
PID 1100 wrote to memory of 1044	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	101
PID 1100 wrote to memory of 2800	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	102
PID 1100 wrote to memory of 2800	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	102
PID 1100 wrote to memory of 1136	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	103
PID 1100 wrote to memory of 1136	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	103
PID 1100 wrote to memory of 4324	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	104
PID 1100 wrote to memory of 4324	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	104
PID 1100 wrote to memory of 2200	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	105
PID 1100 wrote to memory of 2200	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	105
PID 1100 wrote to memory of 4448	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	106
PID 1100 wrote to memory of 4448	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	106
PID 1100 wrote to memory of 2964	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	107
PID 1100 wrote to memory of 2964	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	107
PID 1100 wrote to memory of 3200	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	108
PID 1100 wrote to memory of 3200	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	108
PID 1100 wrote to memory of 3148	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	109
PID 1100 wrote to memory of 3148	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	109
PID 1100 wrote to memory of 872	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	110
PID 1100 wrote to memory of 872	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	110
PID 1100 wrote to memory of 4960	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	111
PID 1100 wrote to memory of 4960	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	111
PID 1100 wrote to memory of 2460	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	122
PID 1100 wrote to memory of 2460	1100	45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe	122
PID 2460 wrote to memory of 2340	2460	cmd.exe	125
PID 2460 wrote to memory of 2340	2460	cmd.exe	125
PID 2460 wrote to memory of 4484	2460	cmd.exe	126
PID 2460 wrote to memory of 4484	2460	cmd.exe	126
PID 4484 wrote to memory of 628	4484	spoolsv.exe	130
PID 4484 wrote to memory of 628	4484	spoolsv.exe	130
PID 4484 wrote to memory of 4452	4484	spoolsv.exe	131
PID 4484 wrote to memory of 4452	4484	spoolsv.exe	131
PID 628 wrote to memory of 3724	628	WScript.exe	136
PID 628 wrote to memory of 3724	628	WScript.exe	136
PID 3724 wrote to memory of 4732	3724	spoolsv.exe	137
PID 3724 wrote to memory of 4732	3724	spoolsv.exe	137
PID 3724 wrote to memory of 3700	3724	spoolsv.exe	138
PID 3724 wrote to memory of 3700	3724	spoolsv.exe	138
PID 4732 wrote to memory of 3300	4732	WScript.exe	140
PID 4732 wrote to memory of 3300	4732	WScript.exe	140
PID 3300 wrote to memory of 2492	3300	spoolsv.exe	141
PID 3300 wrote to memory of 2492	3300	spoolsv.exe	141
PID 3300 wrote to memory of 1644	3300	spoolsv.exe	142
PID 3300 wrote to memory of 1644	3300	spoolsv.exe	142
PID 2492 wrote to memory of 4696	2492	WScript.exe	143
PID 2492 wrote to memory of 4696	2492	WScript.exe	143
PID 4696 wrote to memory of 1852	4696	spoolsv.exe	144
PID 4696 wrote to memory of 1852	4696	spoolsv.exe	144
PID 4696 wrote to memory of 872	4696	spoolsv.exe	145
PID 4696 wrote to memory of 872	4696	spoolsv.exe	145
PID 1852 wrote to memory of 632	1852	WScript.exe	146
PID 1852 wrote to memory of 632	1852	WScript.exe	146
PID 632 wrote to memory of 1320	632	spoolsv.exe	147
PID 632 wrote to memory of 1320	632	spoolsv.exe	147
PID 632 wrote to memory of 1964	632	spoolsv.exe	148
PID 632 wrote to memory of 1964	632	spoolsv.exe	148
PID 1320 wrote to memory of 3472	1320	WScript.exe	149
PID 1320 wrote to memory of 3472	1320	WScript.exe	149
PID 3472 wrote to memory of 1544	3472	spoolsv.exe	150
PID 3472 wrote to memory of 1544	3472	spoolsv.exe	150
PID 3472 wrote to memory of 2416	3472	spoolsv.exe	151
PID 3472 wrote to memory of 2416	3472	spoolsv.exe	151
PID 1544 wrote to memory of 4416	1544	WScript.exe	152
PID 1544 wrote to memory of 4416	1544	WScript.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe
"C:\Users\Admin\AppData\Local\Temp\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bM4d27ZEeE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2340
- - C:\Windows\es-ES\spoolsv.exe
    "C:\Windows\es-ES\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59d5269e-6695-4120-80ab-693b75e70a06.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37b0b3fd-61be-4971-b142-de842be15ccd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98a03cc7-13d2-497b-8483-8dafb441971c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ac36ab3-4da1-40cc-a5c9-8ffc40cece1d.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd00e76d-2797-47fa-a2a0-606f0d953c06.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef512989-18b9-46e9-8e2e-0366b5745597.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8457723f-33e5-434a-9f5b-29c32480ec11.vbs"
        16⤵
        
        PID:4004
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8318fb-ad3e-4962-a2c3-c036fbbc679e.vbs"
        18⤵
        
        PID:228
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10b59f3a-49ec-4711-840b-a0bb6bf66fc1.vbs"
        20⤵
        
        PID:2284
        
        C:\Windows\es-ES\spoolsv.exe
        
        C:\Windows\es-ES\spoolsv.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff98de8a-79a7-4905-b0a0-5436c9cc2bda.vbs"
        22⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52b1a0c6-1d39-4ffe-81ee-a271141744ef.vbs"
        22⤵
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bcb5fc4-8f3a-456e-b927-d8d766a0ac97.vbs"
        20⤵
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c1d18e-71b4-40b0-9b55-2e1ebc341d70.vbs"
        18⤵
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b90218a2-76e1-4dac-8f80-c501e41994ee.vbs"
        16⤵
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2492adb9-00c0-4eee-ab97-5334fd6f1435.vbs"
        14⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9195cb77-4614-4bc2-8d07-c38ef8dec411.vbs"
        12⤵
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194bfc56-2045-4386-a0a2-5bd6349be1a5.vbs"
        10⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb1a8138-0ad2-41a8-93bb-d8da8e50bff3.vbs"
        8⤵
        
        PID:1644
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2707363-c5b0-4034-a3ee-6d957589bb06.vbs"
        6⤵
        
        PID:3700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da4f93da-12c0-4f9f-a167-1c0d1f480d55.vbs"
      4⤵
      PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d4" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d4" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Filesize
1.7MB

MD5
d6ece0dfc8c9c95e0cc2851ee372405d

SHA1
2fd8432db75562aa867903b69f1e2c36bbac5fab

SHA256
45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d

SHA512
b9e47c3073a8d2dac54f6937491bc55a4c25c23066bbd08d8f5e5203258684ea17d6a3b65c45174c5a8426422c30422dd8773ee560f3fd874cd1a363f2336b27

Download Submit
C:\Program Files (x86)\Google\Update\45a89d2fb241df6bae2a79dc922fd124fe9b064512b9dd0806a7f0f633b1689d.exe

Filesize
1.7MB

MD5
3b9c75e9f09f59d590be52a9677bea3a

SHA1
5dd5db3f8add83230fdf15762edaaa072fd02ae5

SHA256
0dcc8cb7172b472f28f5fd21f52c5ac2037c78b36082a796b88b501b1f85c3b3

SHA512
23770d7d6234871d72ea408946b76bde98f31ea59cf987623813afd1e64101a04664f5994242fbddb49b1e07e940952cd6c4e0fa1fbe3474a1a2a285adc1b944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10b59f3a-49ec-4711-840b-a0bb6bf66fc1.vbs

Filesize
704B

MD5
5887107882cc2f9098eb102f0a27bf07

SHA1
e845bbdc3dea0701b8236d98f5a41705175ff5bf

SHA256
0495a0978127b00e6894d4731b0aed312acc039bfea19ea1002802957a666288

SHA512
aa3a2aa19bfb36168ce0822d911d27dfd764e78b50a8ef115065ea1112f089c6093e26f689cd5f54e9af26f494dd87a8ac7230408d4dc8f8625a519bd54f8c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37b0b3fd-61be-4971-b142-de842be15ccd.vbs

Filesize
704B

MD5
069adef56907579c368c826d9028a1c3

SHA1
a3542472a2b02b508434a129a0eb8fe2abb80413

SHA256
4b7bb302f049e7537cf0e299b584d27a1d2285d550dfc4de56a753c6ea4cf151

SHA512
d11ba3efd4f7380efdcf23450fbe4b899a2cfb21e77c8746219ab1465513b0b4d35f4eff62b394c5c0e085f385d808179dc6b2804242d675a4205bcb87ad89a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\59d5269e-6695-4120-80ab-693b75e70a06.vbs

Filesize
704B

MD5
6f614f79138fbdfdd822edfaba212144

SHA1
ba54c4295bd1db0a13cba36b059f30f59ba9cb58

SHA256
7cccbb8f7e712371977b101dbbcedb19dcaaf99c97edf7123f397878efe6fef0

SHA512
ab79410f38f63fcfa8ec2a4aff6ab174423c0886b6beb0bf61f9ebdf5dba57826007eef8db6ae19085a85406534ec04a01461c217bae5588c83b8929d1b3fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ac36ab3-4da1-40cc-a5c9-8ffc40cece1d.vbs

Filesize
704B

MD5
ad537b100291f2aefa0eb586c3638991

SHA1
329f3342a9fff6ae47839e65050965ed89f53515

SHA256
e955cebb9e8f0d127db342f45e530243f1bc67b943d7b44557d921e82dbf24c9

SHA512
0332f920a97d2f58da0789fcf6e18a4115bd0cd900e819b151f028ef56f67fff4ba2be1407a77b8e6156310bc80725b7239ba5574345b15ba95f5c9fe7479656

Download Submit
C:\Users\Admin\AppData\Local\Temp\8457723f-33e5-434a-9f5b-29c32480ec11.vbs

Filesize
704B

MD5
4ce65c43aa8e5e2da5263ed3ae0d0713

SHA1
6298140768b858d538440db84c5831f1c0cf08f1

SHA256
5159585f839c176e89083b7856813274a3c7e80f64fe27c8134456f92278fd4a

SHA512
f7c4e895ebd0362716d71a2155f32ddab14ebacf7f91ae2e75d40b299fa2a24f9e270fac85c41b771fdaad956102b5f51807f661b4699fb9eabb00b3b160433e

Download Submit
C:\Users\Admin\AppData\Local\Temp\98a03cc7-13d2-497b-8483-8dafb441971c.vbs

Filesize
704B

MD5
1ac6ff4d1f947d943c66dcb77528637c

SHA1
d04b8790aa3cbcba1ced1c26bcd9be824e6476eb

SHA256
b56242f23ca6b3456632bed363fbc7bcda846390d1121b12cb3f86de22c0a150

SHA512
a8844e1f6ce2bcc527547d2147c30adde1ee2fbf40a067d173622f357afef79a98139aa27d446829021ab67117e84029ffbe442ecde02f81d26ab7e9f3b39876

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xppoinb.krn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bM4d27ZEeE.bat

Filesize
193B

MD5
5a2890ad5ee84f380c33d978918d4124

SHA1
08456b47f2593a3f1a376ba3558eae0984f17739

SHA256
7c6c218314e9fb111c1071763874d0127ddc99d7b8fe4f116a5ab17f8b393611

SHA512
149d28466e9fd884f5ce94a392facf6d6d3084cb9f2ab7a98a3996a1874c9823fd647afccbc31fb64c28bea46926dbb79133f37878910cb0010228a77fe7757c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd00e76d-2797-47fa-a2a0-606f0d953c06.vbs

Filesize
703B

MD5
6ded661e12c8c419bd896c84c7e4764c

SHA1
627ac61208d93c1e65bd5dca318676fa6aaca9db

SHA256
09faa7d224d48b958d2a0d1b82d171173832fccc6f281723f7a09c1073d16ced

SHA512
d66585ed523274506b3c2c26d25e754d4552c78a547135bdb6d18276043efefb4dbb29d50c7794884de3106425a00812d88e922b95c03cda11eb1f61ee059df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\da4f93da-12c0-4f9f-a167-1c0d1f480d55.vbs

Filesize
480B

MD5
9c4838649f18383c6dfa03907af8b90b

SHA1
487a0a141f050b9f4e7a102d5ed90e2188901c23

SHA256
d4930926016e685c277eba568debd3ef27d64c575912ef2d4b3f35ec092d7245

SHA512
b78ed7e9a8fda3c73ee0a747f2e2d83d9d600b27b908f16dd4f1d7b834205b6c863b67b2c06eab953b0989936ae3591ab15f0ba0662a490f98861d23ad90b9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef512989-18b9-46e9-8e2e-0366b5745597.vbs

Filesize
704B

MD5
91b8b5aa0fb94d284431431b564cb5b8

SHA1
031d3df72159385c157ed439241fc7438903d3a9

SHA256
3dbe9818608fa830f9e4ca5669dbfe61f496c98e1cd38d3f493a5bb3c7cb84ed

SHA512
f247095c3a44b0c4cbc7b73225f29abbf5bc752fd6641ffb41d5f72971950b73f083bc2dfeb4a85f6f4d078bd3bf2f28e191bd4c4bd38d4e5b3b401c9d301550

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb8318fb-ad3e-4962-a2c3-c036fbbc679e.vbs

Filesize
704B

MD5
192fe14b2d8115abb11c9ddc3ce582e1

SHA1
165a23bcd8fa2603f27c3f1334473e73eb15c58b

SHA256
a6520621b1f333f3f2ad324ff7062f69ec5569afd438ac7e1d95404208cead6e

SHA512
eed45e5f2d49c6bd6fa4b2ddf018738318ad3994e12c300fd6b689a5d84483650b9ec62b6f0040c7d8ba3a6d4096abe31d54fdfa50aa1fbefd1d23e40a5cc65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff98de8a-79a7-4905-b0a0-5436c9cc2bda.vbs

Filesize
704B

MD5
5d6073f3dae840986896397c3e25944d

SHA1
743a5bbadddc2a301717b26ae3cfb58505907fca

SHA256
99f797f0ee933698320935801c3bff76c7b60fbb6c55c74d7e6fada44f39985e

SHA512
b81ed7313b95c6ad124c32a5094b866d167fba04f1ee570e0804878df58084a58ac36d12f8f52c543d1e1e475c3a4d87e37140916d9652560d2030a49b13623d

Download Submit
C:\Windows\es-ES\spoolsv.exe

Filesize
1.7MB

MD5
edd73206d176e7b29e1c3899f4a941d1

SHA1
d1bdeb816dd57723e2526653c5497d92982c0ec6

SHA256
26514acf09e4969c88bab97551bbdedf07f5afb007d328131bd1c88c01d15be2

SHA512
ce584503d1beb0bafb803048231590c675fcaa3cc3a7a259725ed8cfc6d992c5e4c947abd2b87e90fa0476f27973eb552b0f2404300b5b41e05928906d6b170c

Download Submit
memory/872-249-0x000001A218300000-0x000001A218348000-memory.dmp

Filesize
288KB

Download
memory/1044-245-0x000002351B280000-0x000002351B2C8000-memory.dmp

Filesize
288KB

Download
memory/1100-17-0x000000001C460000-0x000000001C468000-memory.dmp

Filesize
32KB

Download
memory/1100-7-0x0000000001970000-0x0000000001986000-memory.dmp

Filesize
88KB

Download
memory/1100-114-0x00007FFA4CE50000-0x00007FFA4D911000-memory.dmp

Filesize
10.8MB

Download
memory/1100-23-0x00007FFA4CE50000-0x00007FFA4D911000-memory.dmp

Filesize
10.8MB

Download
memory/1100-20-0x00007FFA4CE50000-0x00007FFA4D911000-memory.dmp

Filesize
10.8MB

Download
memory/1100-1-0x0000000000E60000-0x0000000001020000-memory.dmp

Filesize
1.8MB

Download
memory/1100-2-0x00007FFA4CE50000-0x00007FFA4D911000-memory.dmp

Filesize
10.8MB

Download
memory/1100-19-0x000000001C5C0000-0x000000001C5CC000-memory.dmp

Filesize
48KB

Download
memory/1100-15-0x000000001BCE0000-0x000000001BCEA000-memory.dmp

Filesize
40KB

Download
memory/1100-16-0x000000001C450000-0x000000001C45E000-memory.dmp

Filesize
56KB

Download
memory/1100-3-0x0000000001920000-0x000000000193C000-memory.dmp

Filesize
112KB

Download
memory/1100-4-0x000000001C300000-0x000000001C350000-memory.dmp

Filesize
320KB

Download
memory/1100-6-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/1100-5-0x0000000001940000-0x0000000001948000-memory.dmp

Filesize
32KB

Download
memory/1100-8-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/1100-9-0x00000000032A0000-0x00000000032AC000-memory.dmp

Filesize
48KB

Download
memory/1100-0-0x00007FFA4CE53000-0x00007FFA4CE55000-memory.dmp

Filesize
8KB

Download
memory/1100-10-0x00000000032B0000-0x00000000032B8000-memory.dmp

Filesize
32KB

Download
memory/1100-18-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

Filesize
48KB

Download
memory/1100-14-0x00000000032D0000-0x00000000032DC000-memory.dmp

Filesize
48KB

Download
memory/1100-12-0x00000000032C0000-0x00000000032D2000-memory.dmp

Filesize
72KB

Download
memory/1100-13-0x000000001C880000-0x000000001CDA8000-memory.dmp

Filesize
5.2MB

Download
memory/1136-246-0x000001F0BDA70000-0x000001F0BDAB8000-memory.dmp

Filesize
288KB

Download
memory/2200-242-0x00000240CFC10000-0x00000240CFC58000-memory.dmp

Filesize
288KB

Download
memory/2572-343-0x0000000002AE0000-0x0000000002AF2000-memory.dmp

Filesize
72KB

Download
memory/2800-222-0x0000023E76A70000-0x0000023E76AB8000-memory.dmp

Filesize
288KB

Download
memory/2964-221-0x0000019279AC0000-0x0000019279B08000-memory.dmp

Filesize
288KB

Download
memory/3148-236-0x00000219CB860000-0x00000219CB8A8000-memory.dmp

Filesize
288KB

Download
memory/3200-124-0x0000025B5BC20000-0x0000025B5BC42000-memory.dmp

Filesize
136KB

Download
memory/3200-230-0x0000025B5BAD0000-0x0000025B5BB18000-memory.dmp

Filesize
288KB

Download
memory/3544-355-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/4324-237-0x0000024ECD780000-0x0000024ECD7C8000-memory.dmp

Filesize
288KB

Download
memory/4448-233-0x0000023C2CBA0000-0x0000023C2CBE8000-memory.dmp

Filesize
288KB

Download
memory/4484-253-0x0000000000880000-0x0000000000A40000-memory.dmp

Filesize
1.8MB

Download
memory/4960-227-0x0000023AACA80000-0x0000023AACAC8000-memory.dmp

Filesize
288KB

Download