dcrat | 794c1b48e399a4ac173dcb4a6a619ad53cfa99f52b9685dc62d922dd879acb29

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paranoid Checker 4.1.7/Paranoid Checker 4.1.7.exe
Size

2.9MB
MD5

441eb07e3d375468662db04b5892aad0
SHA1

119a7c0f7bd7e1aca6778f5a6f0acee8658b6b81
SHA256

9229a657f2e08d32136781c3923385b2dafd37ede0081b5b6341f8b6d6c87ebb
SHA512

fc46a2540ac5e5754f88c10c9bf281726dd1130140ecf9b45ff305ef98d462e008ca1cb2b0d50fd6810c2f304e56afc9b160d05714307c53c154226e6f6674d2
SSDEEP

49152:5bA3/l6mCrumolIDrgUs5WjuAGaXXCzcCEXBw123/GogkLcqeKav/aBzOP:5bg8mCrumozVAXnIes23Odk4qBBzOP

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	1848	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	1848	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/files/0x0007000000023cab-10.dat	dcrat
behavioral12/memory/2096-13-0x0000000000670000-0x00000000008E0000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msComponentsaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Paranoid Checker 4.1.7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 14 IoCs

pid	Process
2096	msComponentsaves.exe
3352	upfc.exe
4912	upfc.exe
2220	upfc.exe
2524	upfc.exe
1496	upfc.exe
2852	upfc.exe
4440	upfc.exe
3592	upfc.exe
2268	upfc.exe
4748	upfc.exe
3644	upfc.exe
2956	upfc.exe
472	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
51	pastebin.com
59	pastebin.com
21	pastebin.com
32	pastebin.com
42	pastebin.com
61	pastebin.com
57	pastebin.com
65	pastebin.com
40	pastebin.com
46	pastebin.com
49	pastebin.com
63	pastebin.com
67	pastebin.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\7a0fd90576e088	msComponentsaves.exe
File created	C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\088424020bedd6	msComponentsaves.exe
File created	C:\Program Files\Windows Defender\uk-UA\taskhostw.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Google\Temp\55b276f4edf653	msComponentsaves.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\OfficeClickToRun.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows NT\69ddcba757bf72	msComponentsaves.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\e6c9b481da804f	msComponentsaves.exe
File created	C:\Program Files\Windows Defender\uk-UA\ea9f0e6c9e2dcd	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows NT\smss.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe	msComponentsaves.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\explorer.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16	msComponentsaves.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\sppsvc.exe	msComponentsaves.exe
File created	C:\Windows\LiveKernelReports\0a1fd5f707cd16	msComponentsaves.exe
File created	C:\Windows\fr-FR\sysmon.exe	msComponentsaves.exe
File opened for modification	C:\Windows\fr-FR\sysmon.exe	msComponentsaves.exe
File created	C:\Windows\fr-FR\121e5b5079f7c0	msComponentsaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paranoid Checker 4.1.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msComponentsaves.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Paranoid Checker 4.1.7.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	upfc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3176	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4652	schtasks.exe
436	schtasks.exe
3276	schtasks.exe
1816	schtasks.exe
4144	schtasks.exe
988	schtasks.exe
4992	schtasks.exe
4764	schtasks.exe
1416	schtasks.exe
3800	schtasks.exe
3588	schtasks.exe
2424	schtasks.exe
3536	schtasks.exe
4800	schtasks.exe
3836	schtasks.exe
4280	schtasks.exe
2064	schtasks.exe
1028	schtasks.exe
3980	schtasks.exe
4384	schtasks.exe
3368	schtasks.exe
460	schtasks.exe
2756	schtasks.exe
2724	schtasks.exe
4752	schtasks.exe
2068	schtasks.exe
872	schtasks.exe
1220	schtasks.exe
552	schtasks.exe
4672	schtasks.exe
3524	schtasks.exe
3272	schtasks.exe
4152	schtasks.exe
220	schtasks.exe
1620	schtasks.exe
2524	schtasks.exe
4952	schtasks.exe
4232	schtasks.exe
2036	schtasks.exe
3720	schtasks.exe
396	schtasks.exe
3548	schtasks.exe
5048	schtasks.exe
3992	schtasks.exe
2684	schtasks.exe
1404	schtasks.exe
4076	schtasks.exe
3580	schtasks.exe
1788	schtasks.exe
1964	schtasks.exe
472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
2096	msComponentsaves.exe
3352	upfc.exe
4912	upfc.exe
2220	upfc.exe
2524	upfc.exe
1496	upfc.exe
2852	upfc.exe
4440	upfc.exe
3592	upfc.exe
2268	upfc.exe
4748	upfc.exe
3644	upfc.exe
2956	upfc.exe
472	upfc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	msComponentsaves.exe
Token: SeDebugPrivilege	3352	upfc.exe
Token: SeDebugPrivilege	4912	upfc.exe
Token: SeDebugPrivilege	2220	upfc.exe
Token: SeDebugPrivilege	2524	upfc.exe
Token: SeDebugPrivilege	1496	upfc.exe
Token: SeDebugPrivilege	2852	upfc.exe
Token: SeDebugPrivilege	4440	upfc.exe
Token: SeDebugPrivilege	3592	upfc.exe
Token: SeDebugPrivilege	2268	upfc.exe
Token: SeDebugPrivilege	4748	upfc.exe
Token: SeDebugPrivilege	3644	upfc.exe
Token: SeDebugPrivilege	2956	upfc.exe
Token: SeDebugPrivilege	472	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3048	4664	Paranoid Checker 4.1.7.exe	82
PID 4664 wrote to memory of 3048	4664	Paranoid Checker 4.1.7.exe	82
PID 4664 wrote to memory of 3048	4664	Paranoid Checker 4.1.7.exe	82
PID 3048 wrote to memory of 2928	3048	WScript.exe	83
PID 3048 wrote to memory of 2928	3048	WScript.exe	83
PID 3048 wrote to memory of 2928	3048	WScript.exe	83
PID 2928 wrote to memory of 2096	2928	cmd.exe	85
PID 2928 wrote to memory of 2096	2928	cmd.exe	85
PID 2096 wrote to memory of 4512	2096	msComponentsaves.exe	138
PID 2096 wrote to memory of 4512	2096	msComponentsaves.exe	138
PID 2928 wrote to memory of 3176	2928	cmd.exe	140
PID 2928 wrote to memory of 3176	2928	cmd.exe	140
PID 2928 wrote to memory of 3176	2928	cmd.exe	140
PID 4512 wrote to memory of 1716	4512	cmd.exe	141
PID 4512 wrote to memory of 1716	4512	cmd.exe	141
PID 4512 wrote to memory of 3352	4512	cmd.exe	145
PID 4512 wrote to memory of 3352	4512	cmd.exe	145
PID 3352 wrote to memory of 3472	3352	upfc.exe	147
PID 3352 wrote to memory of 3472	3352	upfc.exe	147
PID 3352 wrote to memory of 4228	3352	upfc.exe	148
PID 3352 wrote to memory of 4228	3352	upfc.exe	148
PID 3472 wrote to memory of 4912	3472	WScript.exe	152
PID 3472 wrote to memory of 4912	3472	WScript.exe	152
PID 4912 wrote to memory of 4356	4912	upfc.exe	153
PID 4912 wrote to memory of 4356	4912	upfc.exe	153
PID 4912 wrote to memory of 1468	4912	upfc.exe	154
PID 4912 wrote to memory of 1468	4912	upfc.exe	154
PID 4356 wrote to memory of 2220	4356	WScript.exe	156
PID 4356 wrote to memory of 2220	4356	WScript.exe	156
PID 2220 wrote to memory of 3340	2220	upfc.exe	157
PID 2220 wrote to memory of 3340	2220	upfc.exe	157
PID 2220 wrote to memory of 872	2220	upfc.exe	158
PID 2220 wrote to memory of 872	2220	upfc.exe	158
PID 3340 wrote to memory of 2524	3340	WScript.exe	159
PID 3340 wrote to memory of 2524	3340	WScript.exe	159
PID 2524 wrote to memory of 4604	2524	upfc.exe	160
PID 2524 wrote to memory of 4604	2524	upfc.exe	160
PID 2524 wrote to memory of 1036	2524	upfc.exe	161
PID 2524 wrote to memory of 1036	2524	upfc.exe	161
PID 4604 wrote to memory of 1496	4604	WScript.exe	162
PID 4604 wrote to memory of 1496	4604	WScript.exe	162
PID 1496 wrote to memory of 3912	1496	upfc.exe	163
PID 1496 wrote to memory of 3912	1496	upfc.exe	163
PID 1496 wrote to memory of 3348	1496	upfc.exe	164
PID 1496 wrote to memory of 3348	1496	upfc.exe	164
PID 3912 wrote to memory of 2852	3912	WScript.exe	165
PID 3912 wrote to memory of 2852	3912	WScript.exe	165
PID 2852 wrote to memory of 3560	2852	upfc.exe	166
PID 2852 wrote to memory of 3560	2852	upfc.exe	166
PID 2852 wrote to memory of 4392	2852	upfc.exe	167
PID 2852 wrote to memory of 4392	2852	upfc.exe	167
PID 3560 wrote to memory of 4440	3560	WScript.exe	168
PID 3560 wrote to memory of 4440	3560	WScript.exe	168
PID 4440 wrote to memory of 1476	4440	upfc.exe	169
PID 4440 wrote to memory of 1476	4440	upfc.exe	169
PID 4440 wrote to memory of 4916	4440	upfc.exe	170
PID 4440 wrote to memory of 4916	4440	upfc.exe	170
PID 1476 wrote to memory of 3592	1476	WScript.exe	171
PID 1476 wrote to memory of 3592	1476	WScript.exe	171
PID 3592 wrote to memory of 2132	3592	upfc.exe	172
PID 3592 wrote to memory of 2132	3592	upfc.exe	172
PID 3592 wrote to memory of 1824	3592	upfc.exe	173
PID 3592 wrote to memory of 1824	3592	upfc.exe	173
PID 2132 wrote to memory of 2268	2132	WScript.exe	174

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe
"C:\Users\Admin\AppData\Local\Temp\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ServerwebRefmonitorDhcp\z0DwzT959mUKovxD5GIlvgUprT.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\ServerwebRefmonitorDhcp\msComponentsaves.exe
      "C:\ServerwebRefmonitorDhcp\msComponentsaves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBVKe0qdyI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1716
      - C:\ServerwebRefmonitorDhcp\upfc.exe
        
        "C:\ServerwebRefmonitorDhcp\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cc6f08c-1ffd-4b10-8ffa-0e0d0a9cc54d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e50cf1d-b3da-4bfc-8c4a-747639219b1b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e363a72-baf2-429e-8de5-b9719c6044f0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87337777-1d78-4e0e-bf74-52a3eb8e1ef8.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f02ce260-2a86-4e1e-9b4b-2b7e1e1eceea.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ee6861-eb5b-43c5-b9fd-910c1abb36cb.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b7718db-b8d3-441f-a9b5-fbcf462242eb.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841feca9-31d4-418e-bb9e-c1e0e1ef5e1a.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1ed3c3-926f-40d8-936c-a5e3189e6151.vbs"
        23⤵
        
        PID:3440
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41f71ea7-c3f1-4a91-8612-8014fa3a801e.vbs"
        25⤵
        
        PID:1172
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adcdf7c0-afa7-4841-8e42-be2c45fe95ae.vbs"
        27⤵
        
        PID:2820
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d47c5f6-6579-44e8-bb8f-448e60802f42.vbs"
        29⤵
        
        PID:1148
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        
        C:\ServerwebRefmonitorDhcp\upfc.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8eea9a-d6d5-4aea-825f-baa75c28a15a.vbs"
        31⤵
        
        PID:4136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe28f70e-6ff1-46ed-bd62-97ba14800603.vbs"
        31⤵
        
        PID:4088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8a79fb-1352-4a60-a08e-116c238ca1d1.vbs"
        29⤵
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c66908d-0d86-46c1-8fff-52c052b9f6ad.vbs"
        27⤵
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b62fc76-6063-4daa-883e-45c310f4ca9e.vbs"
        25⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d283feb8-4655-4531-893a-e4ca512d3d65.vbs"
        23⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4ced3e7-be8a-494f-b525-b5b5991c29e8.vbs"
        21⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae641c9f-56d9-4457-a870-4bbbe4d45b7b.vbs"
        19⤵
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69fbb454-e237-4648-b41a-f746a76ed5f7.vbs"
        17⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\336db97c-ce9a-4d14-9c18-a8cb06065da2.vbs"
        15⤵
        
        PID:3348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b04fa40f-0019-4feb-be5b-c8010b8b9700.vbs"
        13⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a93080e-61f2-4dfc-aa0a-28a2fb75ed67.vbs"
        11⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0befaac6-bd29-4f22-bac7-297549596a55.vbs"
        9⤵
        
        PID:1468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc78bbd4-4b8b-4ab8-bd8e-009141b689d6.vbs"
        7⤵
        
        PID:4228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\fr-FR\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\ServerwebRefmonitorDhcp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\ServerwebRefmonitorDhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Start Menu\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\ServerwebRefmonitorDhcp\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\ServerwebRefmonitorDhcp\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\uk-UA\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\uk-UA\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe

Filesize
227B

MD5
c4f52c0631a8695b0f14c2448f58e817

SHA1
fcc2ad52443c7dcaa844b66f87e3b138a153baf9

SHA256
cda56d62ea26565c81d7cb150204b59e7e9ceee957462fd3c2ff044d97aac2f4

SHA512
0360a9bec265aa978cd0dc4ab80bedb00285ef966434f2d57c04d6b943673d29eac419035025dafce002c2c577b5b2882ce5ead6f79fb84df4e52db2d4a6c4c3

Download Submit
C:\ServerwebRefmonitorDhcp\msComponentsaves.exe

Filesize
2.4MB

MD5
e426d3b62c5478e7270a4b8c72c71539

SHA1
d65a844d8f8dd1655aba5a0927d6373480b79632

SHA256
4023c7f0a9dc47dcbefc20bf92423a1c4a80de962f79ff78fd6cdca64def73b5

SHA512
21401403a59d79f619316a34a247d752f56d1172fe70934a872e37253e9a3c99defbf3f5b08ff079cab5e2fbb4648b0428e253e402c6627ef55edb5951614454

Download Submit
C:\ServerwebRefmonitorDhcp\z0DwzT959mUKovxD5GIlvgUprT.bat

Filesize
161B

MD5
a5249d8d9ac9a994fb125f32d6e61ef7

SHA1
f2df0aeb2f44fe19e352a83851c1f6f1c1717920

SHA256
e1e77331eaf029bdf0b48562314dfd82c47cc85b28e2a66c506d388056713f55

SHA512
5e47c5e6b475a3b9eeb6414311eccf39b04067fe06d7ff91d6327f61656f6ba1d2a52addd96afa27a7a036164e539f37ffde24c76c6896e4b82ef1d978839532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\17ee6861-eb5b-43c5-b9fd-910c1abb36cb.vbs

Filesize
711B

MD5
ce3a3c59d56c31afa4f8b9822bade1bb

SHA1
1526beccd2737a3cc1d2ebc637bc997ff84a4c16

SHA256
507786342cb363eaa1ced895bc3e9cb62c7c15be08fe162cbc01bfcf977f3656

SHA512
3a0e729c314529fa44440a3d0dfd6a59f67051c28f498c07061d36dea8804ab5bdc599d2493ddd4fa9b57fa388ce611bfad5f6ab97313b5bc9b80cfc75688fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d8eea9a-d6d5-4aea-825f-baa75c28a15a.vbs

Filesize
710B

MD5
bf8b656ae0118efcd4677baa1fd5e2d6

SHA1
bcc8c9d6b40ba01aa8697f926472569c4dc4ef01

SHA256
1eacafd532275bd7f3db28e5c5a2c31c80064154533f129b6e7763c1b9ab054a

SHA512
4433d4b2f77859729f249667df0210e31e754ffa494b627e16bbac71622805fe5758ee10817d050059b09c8c38d412df1e1357d0259a02b6e0e13a2f6902883f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e363a72-baf2-429e-8de5-b9719c6044f0.vbs

Filesize
711B

MD5
0249b761f158536899f254c92f5b3fce

SHA1
0955b66c4354c9a963e514765b13a0fb6c19cbde

SHA256
974d2079de7b3976349d6602a5e234816766b0b65aa04653877b3a908538408a

SHA512
57a7b56f0057f43db3c588c900572b443e9e5c893f9f30b77f35b790428d1183cb1a3d585c02a887be0dc47804fbedad6fb4049de7d0b411dae62a0ea0c9202a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cc6f08c-1ffd-4b10-8ffa-0e0d0a9cc54d.vbs

Filesize
711B

MD5
9b7cb7f65e9bfd4b281bb5ece1711f1a

SHA1
bb6a05a65deef4885aa21ea39bfb3014e969e181

SHA256
fca148ce9f3a5e9bb33dd3582da7dfede84474808dbd4029481b9aa9b0855f6d

SHA512
fe98c43296d08503ff77f44a22c09e957084572956a550600fbf4223f71e196198a23209d72bef4fbdbf06fe8d2a51b39789f1c90c2ab4c6b62a31bf45b042a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41f71ea7-c3f1-4a91-8612-8014fa3a801e.vbs

Filesize
711B

MD5
a3e0b12e7bfdcb91eea9986b4d3ded01

SHA1
50e9cbb815096a688ea9ba782e252400da9f8874

SHA256
c3df48e5bc59aadec77395abbc0657035477f00190c4f43059ccd4cb888fa13f

SHA512
ca0ba75f418428c49913180dca3ece0898c6a5bec6586822ebf2d5ea49ca80f7f235b90d789dc41fa10d870a81830d046e9ea25e9f8a6b8811028d2832d486cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e50cf1d-b3da-4bfc-8c4a-747639219b1b.vbs

Filesize
711B

MD5
043fd5087540b5ff6759b8a42919c4a3

SHA1
df3ecd9dc723eb1d79545c209f9adbc99367f173

SHA256
413b8c63f04da611afa8be0c994615ce16db5e6e5453a08e566d523bfbacdc3b

SHA512
8df472b9d95b02593d31fc3875cad1b88a6c459c978656681944f0df3439ce917a5fef564cac631addcb2ead313aef5633bd7a82509ddfed29e27f08ee28b73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d47c5f6-6579-44e8-bb8f-448e60802f42.vbs

Filesize
711B

MD5
815061dafc53e04ef37ca129cdae3d31

SHA1
aa582554ed15c968a9b331632950095c3465a709

SHA256
18473a9864909097291c667f51756e481b20ebdbd3b29ebb6ea27953e04bb7f6

SHA512
ff76d910e8b21a5aabe33fe85d3510d2f5cda28c7315d2202ca9f27c3bc81c352fd621d016076b7056694c68a2393dd9b0c1bf7b2e4ed9ae976b1c995b7c8937

Download Submit
C:\Users\Admin\AppData\Local\Temp\841feca9-31d4-418e-bb9e-c1e0e1ef5e1a.vbs

Filesize
711B

MD5
fe0a217b2fbc4affa482c8fc86a015a9

SHA1
0b24bd42172d73f43fbf7b7d7932e51270a5bbf2

SHA256
bffaf50d99a3b423c57fbeef1617553cb9c803e3eeacb016b1650725d872c964

SHA512
4cef34d1032cf5e958481366643f20486128992da35669acc27ddeda316d8e807c718590f2352e50e0c87bb6b1b896495eefe7f61fd556fca50093fae6cddada

Download Submit
C:\Users\Admin\AppData\Local\Temp\87337777-1d78-4e0e-bf74-52a3eb8e1ef8.vbs

Filesize
711B

MD5
cc4209767c16a6b219d8acca836a0b59

SHA1
6aef17e64fd2d98c834a4497235effba1a1ce3da

SHA256
856d68feb8a0b99e966eec87c65589539a78a9eba0b820bd38be15d6e08eda1d

SHA512
92f3f0fdc9afb4e38684725fd0066543c91f1fe2f77bae1529815d4f6b56db35577561fe4e4bb07617358cdff7ae138504fbf3e49f8af48682c6031d68a9dac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b7718db-b8d3-441f-a9b5-fbcf462242eb.vbs

Filesize
711B

MD5
c55032c3798a6e1e58de39b908255ecb

SHA1
6f1b2e1bcf3162389ee8d50890fb32de8be415ae

SHA256
ff1f02a182589488cd57dd156b98b3d8c0cb85b7c163a009dcae719195740250

SHA512
5ed9343934bab0b645567b4c0c2d7b331859930773b1d4476dd9e9c50f6a20cfdb55780dbc87e38def0f9ca5b9808d7aaca6f72ad81264b5fdc379ce2b2ed34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBVKe0qdyI.bat

Filesize
200B

MD5
4485230723b1e5c1a202befde7aa36c9

SHA1
e222ea5f8c9b10b4e899349ae8093743983b8075

SHA256
adcebe937567b5eda3023286b3f5f54b51822c46d771dd19c74fcb4011125c13

SHA512
c9d769c36a59682ff735ad3af59420c3096e43687b10ce1f8011865430c415ba769ae6f4c37b52608e9876fa298ef3e0e01019064d53a2c3a47b13e243868007

Download Submit
C:\Users\Admin\AppData\Local\Temp\adcdf7c0-afa7-4841-8e42-be2c45fe95ae.vbs

Filesize
711B

MD5
fc4bf3af1e96e7c4002174a78eb5e4cb

SHA1
595e832423e48dffbeb7aaa6b8b22897488fd997

SHA256
63164f85753211f1051c578c717887a802ae8dfee7cb19f0dec6b3ab562fcebf

SHA512
98c97427cec85cf24dc76d037a4cec879bbf16585bef29e9fc1b675ffe81fcfe3c0b5d009172a54aaa290183fe6016bcc7e79068401c90444fd51e0b1ea21f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\df1ed3c3-926f-40d8-936c-a5e3189e6151.vbs

Filesize
711B

MD5
853af22cfe8560e57bb995452bde3136

SHA1
d8cb76a96ef39fc96c3917723a82a44f21b74289

SHA256
d69c9ba7de27d7c58af60c78007f4a540b48a91cf6d03eca0ee97c54ae56cdcf

SHA512
a26b42712f274d5af9ee4e8d3211ab4875af189b698e0032d5a72bc82e0833c9b73a09dafab0d33c9c526ffd9c8c2a4d67ac2429f8df2086788c64dcd9255010

Download Submit
C:\Users\Admin\AppData\Local\Temp\f02ce260-2a86-4e1e-9b4b-2b7e1e1eceea.vbs

Filesize
711B

MD5
b24e79e7736fa39cf13f4b1edc74d295

SHA1
a663c36770d1906562a70d2b8efef0291ee57272

SHA256
87db96cf6b079d7e36b4b066d8e15679e6dc57fba4aa4f644ccd49ed6607569b

SHA512
7bff475f9158b53a24703f84baf1b6377dbf294429b99d71121d2f168fc88bcd439447f8130c5259f89f4c3a0fd7b3c9b2e01320c1b8240cb15ebb7dac07647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc78bbd4-4b8b-4ab8-bd8e-009141b689d6.vbs

Filesize
487B

MD5
6303f3d498b2f5f985267ceda5fca349

SHA1
5e7525d1b956d166e084effdd150d9bd3ac4c9f6

SHA256
89670a4a43220d538d39f152a0d27b908d15210d9155bed79f8e9e5fb4f947ae

SHA512
6a76f4e56858f6cfdc63ecb41539976ba6bd1b01ed006c43e2ab43b3255b90e2c0ac2d64b35401038932587df28d849daedfadbcce226832ea35b01e8bd781a2

Download Submit
memory/472-206-0x000000001B3B0000-0x000000001B3C2000-memory.dmp

Filesize
72KB

Download
memory/2096-20-0x0000000002CA0000-0x0000000002CAC000-memory.dmp

Filesize
48KB

Download
memory/2096-19-0x000000001C470000-0x000000001C998000-memory.dmp

Filesize
5.2MB

Download
memory/2096-12-0x00007FFFAC133000-0x00007FFFAC135000-memory.dmp

Filesize
8KB

Download
memory/2096-25-0x000000001BE00000-0x000000001BE0C000-memory.dmp

Filesize
48KB

Download
memory/2096-22-0x0000000002CB0000-0x0000000002CBA000-memory.dmp

Filesize
40KB

Download
memory/2096-21-0x000000001BCA0000-0x000000001BCF6000-memory.dmp

Filesize
344KB

Download
memory/2096-14-0x0000000001040000-0x000000000105C000-memory.dmp

Filesize
112KB

Download
memory/2096-23-0x0000000002D10000-0x0000000002D1E000-memory.dmp

Filesize
56KB

Download
memory/2096-24-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

Filesize
32KB

Download
memory/2096-17-0x0000000002B30000-0x0000000002B46000-memory.dmp

Filesize
88KB

Download
memory/2096-13-0x0000000000670000-0x00000000008E0000-memory.dmp

Filesize
2.4MB

Download
memory/2096-18-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download
memory/2096-16-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/2096-15-0x0000000002CC0000-0x0000000002D10000-memory.dmp

Filesize
320KB

Download
memory/2220-93-0x000000001C010000-0x000000001C066000-memory.dmp

Filesize
344KB

Download
memory/2220-92-0x000000001B970000-0x000000001B982000-memory.dmp

Filesize
72KB

Download
memory/3592-150-0x0000000002FC0000-0x0000000002FD2000-memory.dmp

Filesize
72KB

Download
memory/4440-138-0x000000001B8E0000-0x000000001B936000-memory.dmp

Filesize
344KB

Download