dcrat | bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125

Analysis

max time kernel
100s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-01-2025 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Genshin Impact.exe
Size

1.6MB
MD5

b4bb269011c062cb169969258ab0e1b9
SHA1

6f17b1266eabfad46eee405f8245c604468a52c5
SHA256

bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125
SHA512

e89088f16658ac3d5d69808080b47638a4f5d699ac3569cc88b07e3a8f4666e89e570cfb4512c161e8ccf9b5537e7ea281fc440b06b7484af33b94f55ecacd43
SSDEEP

24576:u2G/nvxW3WieC9LFgyTXNVqSwYFBQS3qojUYBo1wKrYUwBIlRicmIvvN9Zl:ubA3jNFguXDx3qoj9BqwenWIlIIvXX

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5508	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5524	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5540	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5576	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5612	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5668	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	4520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	4520	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0028000000046132-13.dat	dcrat
behavioral1/memory/3808-16-0x0000000000B40000-0x0000000000C8C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4368	powershell.exe
4088	powershell.exe
5000	powershell.exe
5924	powershell.exe
5908	powershell.exe
5892	powershell.exe
1484	powershell.exe
3872	powershell.exe
1412	powershell.exe
4128	powershell.exe
3748	powershell.exe
5900	powershell.exe
5940	powershell.exe
4704	powershell.exe
4828	powershell.exe
4820	powershell.exe
2364	powershell.exe
5876	powershell.exe
5948	powershell.exe
4816	powershell.exe
4492	powershell.exe
2660	powershell.exe
5884	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Genshin Impact.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	PortwebSaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	PortwebSaves.exe

Executes dropped EXE 3 IoCs

pid	Process
3808	PortwebSaves.exe
4080	PortwebSaves.exe
4712	sysmon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\cc11b995f2a76d	PortwebSaves.exe
File created	C:\Program Files (x86)\Google\Update\Offline\886983d96e3d3e	PortwebSaves.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\csrss.exe	PortwebSaves.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe	PortwebSaves.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\121e5b5079f7c0	PortwebSaves.exe
File created	C:\Program Files\Internet Explorer\ja-JP\886983d96e3d3e	PortwebSaves.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\886983d96e3d3e	PortwebSaves.exe
File created	C:\Program Files\Microsoft Office 15\taskhostw.exe	PortwebSaves.exe
File created	C:\Program Files\Windows Media Player\en-US\5b884080fd4f94	PortwebSaves.exe
File created	C:\Program Files\Windows Media Player\en-US\fontdrvhost.exe	PortwebSaves.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe	PortwebSaves.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\66fc9ff0ee96c2	PortwebSaves.exe
File created	C:\Program Files\Internet Explorer\ja-JP\csrss.exe	PortwebSaves.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe	PortwebSaves.exe
File created	C:\Program Files\Microsoft Office 15\ea9f0e6c9e2dcd	PortwebSaves.exe
File created	C:\Program Files (x86)\Google\Update\Offline\csrss.exe	PortwebSaves.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\56085415360792	PortwebSaves.exe
File created	C:\Windows\it-IT\sysmon.exe	PortwebSaves.exe
File created	C:\Windows\it-IT\121e5b5079f7c0	PortwebSaves.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe	PortwebSaves.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\5b884080fd4f94	PortwebSaves.exe
File created	C:\Windows\ja-JP\wininit.exe	PortwebSaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Genshin Impact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Genshin Impact.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3156	schtasks.exe
1256	schtasks.exe
5524	schtasks.exe
5772	schtasks.exe
5852	schtasks.exe
652	schtasks.exe
2284	schtasks.exe
5560	schtasks.exe
3180	schtasks.exe
5668	schtasks.exe
5716	schtasks.exe
2072	schtasks.exe
3016	schtasks.exe
2796	schtasks.exe
5644	schtasks.exe
5736	schtasks.exe
1784	schtasks.exe
1820	schtasks.exe
2304	schtasks.exe
960	schtasks.exe
4652	schtasks.exe
2100	schtasks.exe
948	schtasks.exe
4712	schtasks.exe
4576	schtasks.exe
2608	schtasks.exe
976	schtasks.exe
1476	schtasks.exe
5508	schtasks.exe
5752	schtasks.exe
5824	schtasks.exe
1548	schtasks.exe
2064	schtasks.exe
780	schtasks.exe
5540	schtasks.exe
5576	schtasks.exe
5628	schtasks.exe
2252	schtasks.exe
752	schtasks.exe
1628	schtasks.exe
5840	schtasks.exe
2144	schtasks.exe
3876	schtasks.exe
4748	schtasks.exe
2132	schtasks.exe
2468	schtasks.exe
5592	schtasks.exe
1984	schtasks.exe
1524	schtasks.exe
5612	schtasks.exe
4932	schtasks.exe
3780	schtasks.exe
5684	schtasks.exe
5788	schtasks.exe
5804	schtasks.exe
4688	schtasks.exe
1224	schtasks.exe
3304	schtasks.exe
5700	schtasks.exe
4840	schtasks.exe
1916	schtasks.exe
3548	schtasks.exe
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
3808	PortwebSaves.exe
4704	powershell.exe
4704	powershell.exe
1484	powershell.exe
1484	powershell.exe
5000	powershell.exe
5000	powershell.exe
4128	powershell.exe
4128	powershell.exe
4816	powershell.exe
4816	powershell.exe
4088	powershell.exe
4088	powershell.exe
2660	powershell.exe
2660	powershell.exe
3872	powershell.exe
3872	powershell.exe
4828	powershell.exe
4828	powershell.exe
4820	powershell.exe
4820	powershell.exe
2364	powershell.exe
2364	powershell.exe
4368	powershell.exe
3748	powershell.exe
3748	powershell.exe
4368	powershell.exe
4492	powershell.exe
4492	powershell.exe
3748	powershell.exe
5000	powershell.exe
1412	powershell.exe
1412	powershell.exe
4080	PortwebSaves.exe
4080	PortwebSaves.exe
1484	powershell.exe
4704	powershell.exe
2660	powershell.exe
4088	powershell.exe
4080	PortwebSaves.exe
4128	powershell.exe
1412	powershell.exe
4080	PortwebSaves.exe
4828	powershell.exe
4820	powershell.exe
4816	powershell.exe
3872	powershell.exe
2364	powershell.exe
4368	powershell.exe
4492	powershell.exe
4080	PortwebSaves.exe
4080	PortwebSaves.exe
4080	PortwebSaves.exe
4080	PortwebSaves.exe
4080	PortwebSaves.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3808	PortwebSaves.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4080	PortwebSaves.exe
Token: SeIncreaseQuotaPrivilege	3748	powershell.exe
Token: SeSecurityPrivilege	3748	powershell.exe
Token: SeTakeOwnershipPrivilege	3748	powershell.exe
Token: SeLoadDriverPrivilege	3748	powershell.exe
Token: SeSystemProfilePrivilege	3748	powershell.exe
Token: SeSystemtimePrivilege	3748	powershell.exe
Token: SeProfSingleProcessPrivilege	3748	powershell.exe
Token: SeIncBasePriorityPrivilege	3748	powershell.exe
Token: SeCreatePagefilePrivilege	3748	powershell.exe
Token: SeBackupPrivilege	3748	powershell.exe
Token: SeRestorePrivilege	3748	powershell.exe
Token: SeShutdownPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeSystemEnvironmentPrivilege	3748	powershell.exe
Token: SeRemoteShutdownPrivilege	3748	powershell.exe
Token: SeUndockPrivilege	3748	powershell.exe
Token: SeManageVolumePrivilege	3748	powershell.exe
Token: 33	3748	powershell.exe
Token: 34	3748	powershell.exe
Token: 35	3748	powershell.exe
Token: 36	3748	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe
Token: 36	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4704	powershell.exe
Token: SeSecurityPrivilege	4704	powershell.exe
Token: SeTakeOwnershipPrivilege	4704	powershell.exe
Token: SeLoadDriverPrivilege	4704	powershell.exe
Token: SeSystemProfilePrivilege	4704	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1648	904	Genshin Impact.exe	83
PID 904 wrote to memory of 1648	904	Genshin Impact.exe	83
PID 904 wrote to memory of 1648	904	Genshin Impact.exe	83
PID 1648 wrote to memory of 4376	1648	WScript.exe	85
PID 1648 wrote to memory of 4376	1648	WScript.exe	85
PID 1648 wrote to memory of 4376	1648	WScript.exe	85
PID 4376 wrote to memory of 3808	4376	cmd.exe	87
PID 4376 wrote to memory of 3808	4376	cmd.exe	87
PID 3808 wrote to memory of 4704	3808	PortwebSaves.exe	131
PID 3808 wrote to memory of 4704	3808	PortwebSaves.exe	131
PID 3808 wrote to memory of 3748	3808	PortwebSaves.exe	132
PID 3808 wrote to memory of 3748	3808	PortwebSaves.exe	132
PID 3808 wrote to memory of 5000	3808	PortwebSaves.exe	133
PID 3808 wrote to memory of 5000	3808	PortwebSaves.exe	133
PID 3808 wrote to memory of 4816	3808	PortwebSaves.exe	135
PID 3808 wrote to memory of 4816	3808	PortwebSaves.exe	135
PID 3808 wrote to memory of 1484	3808	PortwebSaves.exe	136
PID 3808 wrote to memory of 1484	3808	PortwebSaves.exe	136
PID 3808 wrote to memory of 4828	3808	PortwebSaves.exe	137
PID 3808 wrote to memory of 4828	3808	PortwebSaves.exe	137
PID 3808 wrote to memory of 3872	3808	PortwebSaves.exe	138
PID 3808 wrote to memory of 3872	3808	PortwebSaves.exe	138
PID 3808 wrote to memory of 2660	3808	PortwebSaves.exe	139
PID 3808 wrote to memory of 2660	3808	PortwebSaves.exe	139
PID 3808 wrote to memory of 4492	3808	PortwebSaves.exe	141
PID 3808 wrote to memory of 4492	3808	PortwebSaves.exe	141
PID 3808 wrote to memory of 4128	3808	PortwebSaves.exe	142
PID 3808 wrote to memory of 4128	3808	PortwebSaves.exe	142
PID 3808 wrote to memory of 4088	3808	PortwebSaves.exe	144
PID 3808 wrote to memory of 4088	3808	PortwebSaves.exe	144
PID 3808 wrote to memory of 4368	3808	PortwebSaves.exe	145
PID 3808 wrote to memory of 4368	3808	PortwebSaves.exe	145
PID 3808 wrote to memory of 2364	3808	PortwebSaves.exe	147
PID 3808 wrote to memory of 2364	3808	PortwebSaves.exe	147
PID 3808 wrote to memory of 1412	3808	PortwebSaves.exe	148
PID 3808 wrote to memory of 1412	3808	PortwebSaves.exe	148
PID 3808 wrote to memory of 4820	3808	PortwebSaves.exe	149
PID 3808 wrote to memory of 4820	3808	PortwebSaves.exe	149
PID 3808 wrote to memory of 4080	3808	PortwebSaves.exe	161
PID 3808 wrote to memory of 4080	3808	PortwebSaves.exe	161
PID 4080 wrote to memory of 5876	4080	PortwebSaves.exe	184
PID 4080 wrote to memory of 5876	4080	PortwebSaves.exe	184
PID 4080 wrote to memory of 5884	4080	PortwebSaves.exe	185
PID 4080 wrote to memory of 5884	4080	PortwebSaves.exe	185
PID 4080 wrote to memory of 5892	4080	PortwebSaves.exe	186
PID 4080 wrote to memory of 5892	4080	PortwebSaves.exe	186
PID 4080 wrote to memory of 5900	4080	PortwebSaves.exe	187
PID 4080 wrote to memory of 5900	4080	PortwebSaves.exe	187
PID 4080 wrote to memory of 5908	4080	PortwebSaves.exe	188
PID 4080 wrote to memory of 5908	4080	PortwebSaves.exe	188
PID 4080 wrote to memory of 5924	4080	PortwebSaves.exe	190
PID 4080 wrote to memory of 5924	4080	PortwebSaves.exe	190
PID 4080 wrote to memory of 5940	4080	PortwebSaves.exe	192
PID 4080 wrote to memory of 5940	4080	PortwebSaves.exe	192
PID 4080 wrote to memory of 5948	4080	PortwebSaves.exe	193
PID 4080 wrote to memory of 5948	4080	PortwebSaves.exe	193
PID 4080 wrote to memory of 4712	4080	PortwebSaves.exe	200
PID 4080 wrote to memory of 4712	4080	PortwebSaves.exe	200

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe
"C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\winsessionnet\kudjk2JZBqNfIbV0H.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\winsessionnet\PortwebSaves.exe
      "C:\winsessionnet\PortwebSaves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\PortwebSaves.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
    - - C:\winsessionnet\PortwebSaves.exe
        
        "C:\winsessionnet\PortwebSaves.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\PortwebSaves.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5948
      - C:\Windows\it-IT\sysmon.exe
        
        "C:\Windows\it-IT\sysmon.exe"
        6⤵
        Executes dropped EXE
        
        PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\winsessionnet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\winsessionnet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\winsessionnet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteDesktops\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\winsessionnet\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\winsessionnet\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\winsessionnet\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Offline\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\886983d96e3d3e

Filesize
764B

MD5
7f237759c2d3527ac0e99729a3b39bb2

SHA1
f00de4c38b8b04347cdaba1483a426d8c48ae952

SHA256
90e26de6667b920819b2508174db8b926da6c2fac49c8e13f53dd66706b52303

SHA512
d3a7ad82985435fbc50dc26edb9c464955b47d185b9724d6392329eda7015d7a7df2017cad725d59421ec10d336dd86234288d5f091b56e797a4ac42c5daa443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PortwebSaves.exe.log

Filesize
1KB

MD5
61405cd7cb2bca4dfa54e14d1654ed7c

SHA1
bfc9618fcb1c1e0b7f0f7b3be5a6bd1a93bb992b

SHA256
fe0cfcd7729f9a68f46afcb3b105fdf637099b6043a41d9a27ed9bb5b281826a

SHA512
5f705e9b17b94515f19c2b7da03d7af6e4a08032f1fad1b3d1e1a73b8a0c68b105cb964b9f66016dc9a7abac1ed83c21a29bdcda6efd734f4e0594aef34da733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bd23aab2f3dde6d419bc23912cedd13

SHA1
10dc192ce97798bafb97afc025fc48c87bbae61e

SHA256
f4ef5307e90a68fc6882f59f6005d8459688d1000e58594d11f576e923a0c99b

SHA512
ab80c811f3f7e8bb620732c4315eb2a42b2239fddd5ec0eafa46b005760faa3c9c0301d91330cffd8e79c49c0d3d847ce8afbafe1889f3f1822313015c8c5ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee837f9246bf7d67b3132d8c32031517

SHA1
044171961c32e56e9e41da106ca654d1d7a5198f

SHA256
bf2368988696a019042e21b490d30f66297c8517a9fd3ca798fac7183d2b2d28

SHA512
cd8636c9fcdf8eb25cde91309edf5a01cba0b155d81f4a176c0bb7e0b829cc0b7adea724d6d27778beaf1247bafdddc9c47d05388c23da26a21e8c436d47d4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
804a344b3d8a895612ee80bb41fcb6da

SHA1
d44e8744c9e86965e2e1f45ba1ae6caf6f41042f

SHA256
c280004f3e427ec880911deecd0b78dbc7116e3559510b8f79c597dbe513531a

SHA512
a01ce70fa86b8f775b546f1ece04700ce6f27630a6aa7c9f04a20057aa5591b1512babea8f3e628ba73c18a0d7025e4bf3f6525332040acfbec7c3ef4c48e5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
565d76cc5ca2ae9ae8639a4a6d905447

SHA1
cfdc3b9f31b89cd1a35f954d172b15ff497a8ca3

SHA256
107a24d8c8012cbaa33355cef5d654f23b36b24f1140a66672c722350203e217

SHA512
656ac57ae95b5bca32fddcd3fe9bac49bd8a551400c983b0347ae8814e12801512dd6bce300bce4ced5240ca18894b8fa9a55d0ce07596c8f06a05fdfb9f1ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57bbb3c66252879a3fbd585555a7904e

SHA1
e79e0295ca5f3603d4f4f163a058f7c45ffb4198

SHA256
06f9b303748619b69ca94221c0ba15c6ac3953fe3c98b5c17085c47f5372e7f1

SHA512
e53af4e242f5ae7cf6ffcf09f829f3631a507a2191cf8f0cbc7d52ca339c77bf01d8df9f8a8672e5435de0563826bf3ac91d123bbb7779562ec0408204ea30e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82445f3763ac3358dff9325cf30db1d9

SHA1
e81a5714d1dcc5c3881f018b071b521534f0c151

SHA256
171097f391b98433ef9dbb0af9c951a18202cdb95ec93eb7befedba6271894e6

SHA512
23e4aed22140c39067e8048b27c83db05722576ce91ecb2f0a2ee64aeb29f33e9e8e1d77aee91d3503a422b159b87531a054a139d74db39c781dfc6e9b431262

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e20q44zs.yc1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\winsessionnet\PortwebSaves.exe

Filesize
1.3MB

MD5
ad823965fda5d6901ab6a2bc0e153cee

SHA1
7ebaec14300ef03501785e9bc1637963ebbc49b0

SHA256
2c9a19274f314a4f2f728c51dc117196f7c176c6952275e3ba58184a2d6a95d9

SHA512
1c8897f5abbed300029c229b52c5fefd4ec1731cf71b1463f2a81ee085ea0190d766684b2c3057eb0fa6ddedfe97aae9c6c940bb8cdd90c226c02b406c42f9b9

Download Submit
C:\winsessionnet\kudjk2JZBqNfIbV0H.bat

Filesize
35B

MD5
b57373910e83f55b01da9606c160d606

SHA1
bdd2323421bf54c1ab2a40d2f21710c5ddf6b86e

SHA256
eed136c4973c9c837ba407c3c8dc5d70b9ad30c213628ab93c29649731207065

SHA512
32cd79677e54f51efa739b8b8d33e9834ccb7db05e0d3d56c21383968391007f54f05b92750c9dfc6b98bad362e3dca403f98b20a46e95a51ebdf3da70da1cbc

Download Submit
C:\winsessionnet\qmazbV2JlRldI.vbe

Filesize
207B

MD5
c976abe88c50259f846e4a7f9219c0e4

SHA1
0b8221670e970136114bfa60e95226cdfeda740e

SHA256
c912de4503819861b8f5053c4da777a73279aba052f9d4710cdb9facd62304d7

SHA512
e0fe8084c80f37e57b86fc3110f72acaec2e81dedf6a90488960891c2bd8d30728ec7ad763b7e8be299e56becfdbce93c08004efbe9eab92f9808f6109675715

Download Submit
memory/3808-16-0x0000000000B40000-0x0000000000C8C000-memory.dmp

Filesize
1.3MB

Download
memory/3808-21-0x0000000001560000-0x000000000156E000-memory.dmp

Filesize
56KB

Download
memory/3808-15-0x00007FF96D6E3000-0x00007FF96D6E5000-memory.dmp

Filesize
8KB

Download
memory/3808-22-0x0000000001570000-0x000000000157A000-memory.dmp

Filesize
40KB

Download
memory/3808-20-0x0000000001450000-0x0000000001466000-memory.dmp

Filesize
88KB

Download
memory/3808-19-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

Filesize
320KB

Download
memory/3808-18-0x0000000001430000-0x000000000144C000-memory.dmp

Filesize
112KB

Download
memory/3808-17-0x0000000001490000-0x000000000149C000-memory.dmp

Filesize
48KB

Download
memory/4704-48-0x000002AD6F0C0000-0x000002AD6F0E2000-memory.dmp

Filesize
136KB

Download