dcrat | 3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
Size

1.7MB
MD5

a556bf4a925150c916fde2eb12612af8
SHA1

9b104cc1d99689e09b14ccff6a7d58b6a425131a
SHA256

3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d
SHA512

c98deed1cdc21771fa39a8ba842ed6f284f3cb371ebbeeb04652fc6ad436a20b9e3fdcc9b7e0a4c29ac8ae8b45196268107c3db27db2e9343e7c9b537bc76161
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvl:+THUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1132	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1132	schtasks.exe	82

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1760-1-0x0000000000EA0000-0x0000000001060000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b65-30.dat	dcrat
behavioral2/files/0x000b000000023b62-98.dat	dcrat
behavioral2/files/0x000c000000023b65-111.dat	dcrat
behavioral2/files/0x000c000000023b6a-122.dat	dcrat
behavioral2/files/0x000c000000023b6e-133.dat	dcrat
behavioral2/memory/2972-283-0x00000000004D0000-0x0000000000690000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3240	powershell.exe
3152	powershell.exe
3244	powershell.exe
540	powershell.exe
4876	powershell.exe
4416	powershell.exe
2164	powershell.exe
888	powershell.exe
1280	powershell.exe
4552	powershell.exe
4820	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 8 IoCs

pid	Process
2972	Registry.exe
536	Registry.exe
1792	Registry.exe
3672	Registry.exe
3348	Registry.exe
3336	Registry.exe
4272	Registry.exe
4384	Registry.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCX8272.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\RCX8488.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\e1ef82546f0b02	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCX8283.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\RCX84B8.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\SppExtComObj.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\SppExtComObj.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\55b276f4edf653	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\security\audit\lsass.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX8C1F.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX8C8E.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\security\audit\RCX8ED1.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\security\audit\RCX8F4F.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Windows\security\audit\lsass.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Windows\security\audit\6203df4a6bafc7	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2368	schtasks.exe
3080	schtasks.exe
2212	schtasks.exe
1644	schtasks.exe
4140	schtasks.exe
4840	schtasks.exe
1792	schtasks.exe
4292	schtasks.exe
1232	schtasks.exe
876	schtasks.exe
1684	schtasks.exe
2860	schtasks.exe
2220	schtasks.exe
232	schtasks.exe
5016	schtasks.exe
816	schtasks.exe
1124	schtasks.exe
3476	schtasks.exe
2556	schtasks.exe
840	schtasks.exe
1972	schtasks.exe
4584	schtasks.exe
1780	schtasks.exe
2392	schtasks.exe
2720	schtasks.exe
1452	schtasks.exe
3352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
3244	powershell.exe
3244	powershell.exe
3152	powershell.exe
3152	powershell.exe
4416	powershell.exe
4416	powershell.exe
2164	powershell.exe
2164	powershell.exe
540	powershell.exe
540	powershell.exe
4876	powershell.exe
4876	powershell.exe
4820	powershell.exe
4820	powershell.exe
4552	powershell.exe
4552	powershell.exe
888	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	2972	Registry.exe
Token: SeDebugPrivilege	536	Registry.exe
Token: SeDebugPrivilege	1792	Registry.exe
Token: SeDebugPrivilege	3672	Registry.exe
Token: SeDebugPrivilege	3348	Registry.exe
Token: SeDebugPrivilege	3336	Registry.exe
Token: SeDebugPrivilege	4272	Registry.exe
Token: SeDebugPrivilege	4384	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3240	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	110
PID 1760 wrote to memory of 3240	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	110
PID 1760 wrote to memory of 4416	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	111
PID 1760 wrote to memory of 4416	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	111
PID 1760 wrote to memory of 3244	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	112
PID 1760 wrote to memory of 3244	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	112
PID 1760 wrote to memory of 3152	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	113
PID 1760 wrote to memory of 3152	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	113
PID 1760 wrote to memory of 540	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	116
PID 1760 wrote to memory of 540	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	116
PID 1760 wrote to memory of 4820	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	118
PID 1760 wrote to memory of 4820	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	118
PID 1760 wrote to memory of 4552	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	120
PID 1760 wrote to memory of 4552	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	120
PID 1760 wrote to memory of 1280	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	121
PID 1760 wrote to memory of 1280	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	121
PID 1760 wrote to memory of 888	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	122
PID 1760 wrote to memory of 888	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	122
PID 1760 wrote to memory of 2164	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	123
PID 1760 wrote to memory of 2164	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	123
PID 1760 wrote to memory of 4876	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	124
PID 1760 wrote to memory of 4876	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	124
PID 1760 wrote to memory of 3248	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	132
PID 1760 wrote to memory of 3248	1760	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	132
PID 3248 wrote to memory of 644	3248	cmd.exe	134
PID 3248 wrote to memory of 644	3248	cmd.exe	134
PID 3248 wrote to memory of 2972	3248	cmd.exe	138
PID 3248 wrote to memory of 2972	3248	cmd.exe	138
PID 2972 wrote to memory of 1168	2972	Registry.exe	140
PID 2972 wrote to memory of 1168	2972	Registry.exe	140
PID 2972 wrote to memory of 4884	2972	Registry.exe	141
PID 2972 wrote to memory of 4884	2972	Registry.exe	141
PID 1168 wrote to memory of 536	1168	WScript.exe	144
PID 1168 wrote to memory of 536	1168	WScript.exe	144
PID 536 wrote to memory of 3976	536	Registry.exe	145
PID 536 wrote to memory of 3976	536	Registry.exe	145
PID 536 wrote to memory of 2952	536	Registry.exe	146
PID 536 wrote to memory of 2952	536	Registry.exe	146
PID 3976 wrote to memory of 1792	3976	WScript.exe	149
PID 3976 wrote to memory of 1792	3976	WScript.exe	149
PID 1792 wrote to memory of 3240	1792	Registry.exe	150
PID 1792 wrote to memory of 3240	1792	Registry.exe	150
PID 1792 wrote to memory of 2208	1792	Registry.exe	151
PID 1792 wrote to memory of 2208	1792	Registry.exe	151
PID 3240 wrote to memory of 3672	3240	WScript.exe	152
PID 3240 wrote to memory of 3672	3240	WScript.exe	152
PID 3672 wrote to memory of 4072	3672	Registry.exe	153
PID 3672 wrote to memory of 4072	3672	Registry.exe	153
PID 3672 wrote to memory of 3664	3672	Registry.exe	154
PID 3672 wrote to memory of 3664	3672	Registry.exe	154
PID 4072 wrote to memory of 3348	4072	WScript.exe	155
PID 4072 wrote to memory of 3348	4072	WScript.exe	155
PID 3348 wrote to memory of 2540	3348	Registry.exe	156
PID 3348 wrote to memory of 2540	3348	Registry.exe	156
PID 3348 wrote to memory of 4448	3348	Registry.exe	157
PID 3348 wrote to memory of 4448	3348	Registry.exe	157
PID 2540 wrote to memory of 3336	2540	WScript.exe	158
PID 2540 wrote to memory of 3336	2540	WScript.exe	158
PID 3336 wrote to memory of 4828	3336	Registry.exe	159
PID 3336 wrote to memory of 4828	3336	Registry.exe	159
PID 3336 wrote to memory of 1512	3336	Registry.exe	160
PID 3336 wrote to memory of 1512	3336	Registry.exe	160
PID 4828 wrote to memory of 4272	4828	WScript.exe	161
PID 4828 wrote to memory of 4272	4828	WScript.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
"C:\Users\Admin\AppData\Local\Temp\3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KzReakCBi1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:644
- - C:\Users\All Users\USOShared\Logs\Registry.exe
    "C:\Users\All Users\USOShared\Logs\Registry.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\807c29e6-d9c4-4a5c-90ca-5beec9c1d83d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fae46ab-1940-4995-bc33-0efe2d4e4450.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\271b8c59-6cea-4740-8beb-47a371433c44.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\187d4792-f9f1-4b1c-b607-2a4df95359cb.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13028289-436c-4ce6-8186-8819808cc678.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f3d68db-3cb0-48b4-9d12-b437528d3673.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4035b7-1ecf-42d7-9c7b-41156f211286.vbs"
        16⤵
        
        PID:3724
        
        C:\Users\All Users\USOShared\Logs\Registry.exe
        
        "C:\Users\All Users\USOShared\Logs\Registry.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb76aab-f7c4-42f1-9932-a7710e120d25.vbs"
        18⤵
        
        PID:3244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5795f600-07c1-4608-83e1-a396445091bd.vbs"
        18⤵
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab782479-6895-4a20-9760-862f91a2c1a7.vbs"
        16⤵
        
        PID:4716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d55e910e-eb87-4993-8621-463e17351e73.vbs"
        14⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01ce29c9-b5c5-4366-863b-823bf0ef46f9.vbs"
        12⤵
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fa4ebdf-b982-4f96-84aa-cc24670cf1a0.vbs"
        10⤵
        
        PID:3664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8b70f8-4a5c-4899-8fa7-1397609a87e3.vbs"
        8⤵
        
        PID:2208
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5346964a-34aa-4394-9e5f-d2577e86ef9a.vbs"
        6⤵
        
        PID:2952
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562f5a52-a0f0-4d4b-bc7c-bfc94c017864.vbs"
      4⤵
      PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\security\audit\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\USOShared\Logs\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\USOShared\Logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOShared\Logs\Registry.exe

Filesize
1.7MB

MD5
39d394da32963b68b815bbb167553ee8

SHA1
00b8c52148759da8c9df4a8b78c72e66ab50f802

SHA256
65d8ec8e3d70242af64f7bd77160722fdc183c394f771821f4d9157a2cbd4c0c

SHA512
cb8924e45ceabd8ecd8e94e229468e6f36c46ac9b5e16ea1963b3d077f9f41a68a1e20301b4963fa9611b21194badf202c28718f8d9c667f1b839bd642fbc46f

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.7MB

MD5
a556bf4a925150c916fde2eb12612af8

SHA1
9b104cc1d99689e09b14ccff6a7d58b6a425131a

SHA256
3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d

SHA512
c98deed1cdc21771fa39a8ba842ed6f284f3cb371ebbeeb04652fc6ad436a20b9e3fdcc9b7e0a4c29ac8ae8b45196268107c3db27db2e9343e7c9b537bc76161

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.7MB

MD5
fdafe6c60a2c1ccddf9c55f64f4d146e

SHA1
73eb8ae8af70676d3840419512f273f85afd01fe

SHA256
c122f0a53346dfbc1d938bc1a1deb548822997fd542b4e0db2520b74464360bd

SHA512
8830b8e5e1a3d142467298755d74cb8324668f04dedc2521cffe21861a3a1b17c7cd392c32ebffd51d1288cd3517e6d7bb10555c22650463ca0be96380485caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\13028289-436c-4ce6-8186-8819808cc678.vbs

Filesize
722B

MD5
5f39d5fb2870e95572cbb12064942b45

SHA1
6e92b87e083c2d2dbad469517fdc960160289df8

SHA256
7eadba4b4d892b2c3106869017b130f59423e1a6126dbd0170f6b196b10f7e0e

SHA512
0baa197d682b86420fe2dcec3d9f7797c4777d48c90dd710a57fb15b5a092bda5634bf950d44ec72888a8df5e0bd4bc739cf6cba3ef6b3bebf27cb938939ddcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\187d4792-f9f1-4b1c-b607-2a4df95359cb.vbs

Filesize
722B

MD5
8f1fe77005ae3129dcc9490e0a4128e6

SHA1
9f84090bcf7d859a8a8688bd4e705e89628c1705

SHA256
ddabc2822382c1ca7c3883b6ac408fdad9c9ba185e63d901b323cda86db5b27b

SHA512
426a8d36fbde04d9293b62ffee27a26ef90beec39500d574a693effd7ee6234578aeb7475c3becfe99c23375af35452cf51c6761424428d3ec24c4a1d830688c

Download Submit
C:\Users\Admin\AppData\Local\Temp\271b8c59-6cea-4740-8beb-47a371433c44.vbs

Filesize
722B

MD5
265210972bd76e5d0f2017b7a08e472a

SHA1
6e6950d78956d210383fb2cb09c3121932825c6c

SHA256
1c92d0f040ffd01a4169f5429fcfb83eb6962b1206283ed96ebf277468b6e555

SHA512
200728469ccd7993cbf8de3c273ff767218226fa168907040865f3d99eace5094f1be6f186c2af8378b65596e96b9c97c2d7f7e35bdc113c5d740f5608053b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f3d68db-3cb0-48b4-9d12-b437528d3673.vbs

Filesize
722B

MD5
841c0283d37b66ee7f61dbd067b84bca

SHA1
cf41abc3d2a87e1ae89f2b6c8045df79ca03a880

SHA256
a1099323e138442a48d5dff52272969a2298ea30093aff0e7507b982bfa2259a

SHA512
417c0be549c5080031b780a0690844590d110ef28f7c3398d68551e0649d77f9ea7c1e8a321027562ae3d42d4433f54c42e8e1c254c12d183e80ae602ec7dbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\562f5a52-a0f0-4d4b-bc7c-bfc94c017864.vbs

Filesize
498B

MD5
9ed58c7f951228ecfd8bdef4a049c2e0

SHA1
dd5b713106c10f5e73386d7e2aae56cd1a87ddf1

SHA256
6fab2cb7f743e2fec51dbcc4a084c36421baa711ee3c88ce5149b521218345a0

SHA512
efe0cf5a43d205437ea9a4d9c48b734c0580cf7c7c554ed4e02d715d676472b989e03ee99286573252aef35e8157d6b6f0c04a61d3422a0c1fdfcda960e120ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fae46ab-1940-4995-bc33-0efe2d4e4450.vbs

Filesize
721B

MD5
047016b2d46b2880f0148cea048b2cdc

SHA1
c84dc803d4175fd0fe4917124571d158d95a72a2

SHA256
886a9cbfc49e2ffef7f6d8beee83a2349b246dcb1dd330c44d3fdb1dfc180f1f

SHA512
3893c4b79792ad61694b29635e2c8c748d8d1c8582e7e23aa7da4565395d553f1ea21a074b1a3b82c18a1d497114db24e587061fd4fe6c95dcaa9c7c267f6e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b4035b7-1ecf-42d7-9c7b-41156f211286.vbs

Filesize
722B

MD5
30c8f7e86068a9baee8ce0b4fd0e8ca7

SHA1
6572d291c953e9466391202a39943a758c58cab5

SHA256
cbcb4d754c7eeef99a7ee750da6ad6529a8a73636f7e49b79d3991ccf494eab2

SHA512
886adcb38ca523007eaaeec9e8d614166700a64b5f30c6cece8d527b0968c19aa61284903e70bde2a7767ee05efa9050a91ca46f821b0f8ec769f7c8fbdc58f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\807c29e6-d9c4-4a5c-90ca-5beec9c1d83d.vbs

Filesize
722B

MD5
32271182cc71e2b7dc70b9da32fb8bbc

SHA1
1614e85e3451a55ba7b66bb527787158e6637e6e

SHA256
cc760f8a1608b8dffb606e2049c4a1fc6fd9966a46a208dcd91496056e69a04b

SHA512
0ad263a5465eadea1784fd22bb6854492c5c2c4cb3d7719d0e3158166da745ebcce83c1181f28e998b2945376908193668e9ff57744ccb8c4c4eb31d11f7a5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eb76aab-f7c4-42f1-9932-a7710e120d25.vbs

Filesize
722B

MD5
c11997251a8ff129b7b9e9ea0c422ea7

SHA1
3788b5b1744587a37215a9ef29a0d0cf724515ac

SHA256
46a73253667b9230cbfcf6213b119c02fa9eb012200316e7d7b6811c6472db72

SHA512
a59ba7ec5b2551ff6c36648ae083841a4c36e979dfddd2c4e7f7ded1f662d2adbef4a4ee9fc4a5ff04b8130bb7657abb053a5180a759b155a21ac9972745ae31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KzReakCBi1.bat

Filesize
211B

MD5
8657f57bafe2f7fa8be8db957bfc3185

SHA1
b04158ab52a0b03f7cf4660b00da0b274a8a2c73

SHA256
06f1392d6e850f5ea36395e1d658c78a13fe3bd888d4d468312dd11260777bc7

SHA512
fbdb39a0e8da6eaedb32495a4037ef8ffaf5c90762aebf65c89162c2ed287a058d19935a28da77441d3423befb99da561c4de161c18865c957c718433363a0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_irnmhy42.hjq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\GameBarPresenceWriter\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
acfa867043e9c6d7d86f775b19a0e1ca

SHA1
0902955796c281f69e9d09594d5d2d3018293525

SHA256
6f69adab2cc5cc5ff7548e524f470b64f8b2fd26de8603766be492ab2e93099a

SHA512
740a7132dda341fede5407d1e0bcb6117fe9490693e7c884542f11db75841347d658a5a90ef6e4b87d093201698530f891d1dade20caf17d6b1096f282c059be

Download Submit
C:\Windows\security\audit\lsass.exe

Filesize
1.7MB

MD5
5f3b12715602b47ed3e8423ba637e5d9

SHA1
5c1f623ccfdca78b751bd8da6a33062cb4af771b

SHA256
dc32232efbd2c2e1effe5e0f1cfa60f2237b88b52004641b9b4ad7b60ae979b4

SHA512
f3361d192292e7d26c92d529d4c51db8880dee7a415ac43b0ab8bfc27c7a45d2bd0d5558ce244e33b1b820b5ea404353f189549e5354b85a85bc71072747a602

Download Submit
memory/536-297-0x000000001B870000-0x000000001B882000-memory.dmp

Filesize
72KB

Download
memory/1760-136-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

Filesize
8KB

Download
memory/1760-6-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/1760-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

Filesize
8KB

Download
memory/1760-148-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1760-155-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1760-22-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1760-1-0x0000000000EA0000-0x0000000001060000-memory.dmp

Filesize
1.8MB

Download
memory/1760-19-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/1760-16-0x000000001BD90000-0x000000001BD9E000-memory.dmp

Filesize
56KB

Download
memory/1760-17-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/1760-18-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/1760-15-0x000000001BD80000-0x000000001BD8A000-memory.dmp

Filesize
40KB

Download
memory/1760-14-0x00000000034A0000-0x00000000034AC000-memory.dmp

Filesize
48KB

Download
memory/1760-13-0x000000001C9C0000-0x000000001CEE8000-memory.dmp

Filesize
5.2MB

Download
memory/1760-2-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1760-3-0x0000000003270000-0x000000000328C000-memory.dmp

Filesize
112KB

Download
memory/1760-12-0x0000000003420000-0x0000000003432000-memory.dmp

Filesize
72KB

Download
memory/1760-10-0x0000000003410000-0x0000000003418000-memory.dmp

Filesize
32KB

Download
memory/1760-9-0x0000000003400000-0x000000000340C000-memory.dmp

Filesize
48KB

Download
memory/1760-7-0x00000000033E0000-0x00000000033F6000-memory.dmp

Filesize
88KB

Download
memory/1760-8-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/1760-5-0x00000000018B0000-0x00000000018B8000-memory.dmp

Filesize
32KB

Download
memory/1760-23-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1760-4-0x0000000003430000-0x0000000003480000-memory.dmp

Filesize
320KB

Download
memory/2972-284-0x000000001B980000-0x000000001B992000-memory.dmp

Filesize
72KB

Download
memory/2972-283-0x00000000004D0000-0x0000000000690000-memory.dmp

Filesize
1.8MB

Download
memory/3152-183-0x000001F3CE1F0000-0x000001F3CE212000-memory.dmp

Filesize
136KB

Download
memory/4272-353-0x0000000003670000-0x0000000003682000-memory.dmp

Filesize
72KB

Download
memory/4384-365-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download