dcrat | b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
Size

1.7MB
MD5

56d660c11eaba52b06b10344f8f01f70
SHA1

0901888a67e7e2ffb61a3ed953c1c38995e941e8
SHA256

b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9
SHA512

847f6ff7c2eda0032c2e5aae696fcc6249760c9b43c404889762caf239317640ce6342d26960947037a5c36604108f9bdb457854b6fffd7ceb0e03564e6a3d02
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2436	schtasks.exe	82

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2804-1-0x0000000000400000-0x00000000005C0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cad-30.dat	dcrat
behavioral2/files/0x000a000000023c9a-84.dat	dcrat
behavioral2/files/0x0009000000023ca3-93.dat	dcrat
behavioral2/files/0x000b000000023ca8-116.dat	dcrat
behavioral2/files/0x0009000000023caf-129.dat	dcrat
behavioral2/files/0x0009000000023cb2-140.dat	dcrat
behavioral2/files/0x000b000000023cbd-199.dat	dcrat
behavioral2/memory/988-366-0x0000000000750000-0x0000000000910000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
708	powershell.exe
3388	powershell.exe
4496	powershell.exe
4272	powershell.exe
4472	powershell.exe
1956	powershell.exe
2904	powershell.exe
1660	powershell.exe
3220	powershell.exe
4320	powershell.exe
4312	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
988	winlogon.exe
1564	winlogon.exe
4936	winlogon.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXCD49.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5b884080fd4f94	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXBC14.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXBC83.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\5b884080fd4f94	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\explorer.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXCF50.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXCAC7.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\explorer.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXCD4A.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXCF4F.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\7a0fd90576e088	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\5b884080fd4f94	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXCAC6.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\f3b6ecef712a24	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\ModemLogs\RCXC63F.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC844.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC845.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\fr-FR\886983d96e3d3e	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Web\Wallpaper\Theme1\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\SKB\LanguageModels\StartMenuExperienceHost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\SKB\LanguageModels\55b276f4edf653	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\SKB\LanguageModels\StartMenuExperienceHost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Help\en-US\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\fr-FR\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Web\Wallpaper\Theme1\5b884080fd4f94	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Help\en-US\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\fr-FR\RCXB4DC.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\RCXBE87.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\fontdrvhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\ModemLogs\spoolsv.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Help\en-US\RCXD1C3.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\fr-FR\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\ModemLogs\spoolsv.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Help\en-US\5b884080fd4f94	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\fr-FR\RCXB4DB.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\RCXBE88.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\ModemLogs\RCXC5D1.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Help\en-US\RCXD154.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe
5040	schtasks.exe
1476	schtasks.exe
4536	schtasks.exe
4620	schtasks.exe
3124	schtasks.exe
1776	schtasks.exe
4432	schtasks.exe
4060	schtasks.exe
3908	schtasks.exe
3572	schtasks.exe
4648	schtasks.exe
4444	schtasks.exe
4948	schtasks.exe
4852	schtasks.exe
468	schtasks.exe
2968	schtasks.exe
992	schtasks.exe
2480	schtasks.exe
1076	schtasks.exe
1752	schtasks.exe
4544	schtasks.exe
3396	schtasks.exe
1048	schtasks.exe
1604	schtasks.exe
1924	schtasks.exe
2064	schtasks.exe
3356	schtasks.exe
4232	schtasks.exe
3800	schtasks.exe
2396	schtasks.exe
2760	schtasks.exe
3920	schtasks.exe
3268	schtasks.exe
3020	schtasks.exe
1728	schtasks.exe
3488	schtasks.exe
532	schtasks.exe
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
1660	powershell.exe
1660	powershell.exe
4472	powershell.exe
4472	powershell.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2904	powershell.exe
2904	powershell.exe
3388	powershell.exe
3388	powershell.exe
4272	powershell.exe
4272	powershell.exe
4320	powershell.exe
4320	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	988	winlogon.exe
Token: SeDebugPrivilege	1564	winlogon.exe
Token: SeDebugPrivilege	4936	winlogon.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3220	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	125
PID 2804 wrote to memory of 3220	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	125
PID 2804 wrote to memory of 1660	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	126
PID 2804 wrote to memory of 1660	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	126
PID 2804 wrote to memory of 4312	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	127
PID 2804 wrote to memory of 4312	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	127
PID 2804 wrote to memory of 4320	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	128
PID 2804 wrote to memory of 4320	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	128
PID 2804 wrote to memory of 1956	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	129
PID 2804 wrote to memory of 1956	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	129
PID 2804 wrote to memory of 4472	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	130
PID 2804 wrote to memory of 4472	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	130
PID 2804 wrote to memory of 4272	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	131
PID 2804 wrote to memory of 4272	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	131
PID 2804 wrote to memory of 4496	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	132
PID 2804 wrote to memory of 4496	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	132
PID 2804 wrote to memory of 3388	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	133
PID 2804 wrote to memory of 3388	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	133
PID 2804 wrote to memory of 708	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	134
PID 2804 wrote to memory of 708	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	134
PID 2804 wrote to memory of 2904	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	135
PID 2804 wrote to memory of 2904	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	135
PID 2804 wrote to memory of 988	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	147
PID 2804 wrote to memory of 988	2804	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	147
PID 988 wrote to memory of 636	988	winlogon.exe	149
PID 988 wrote to memory of 636	988	winlogon.exe	149
PID 988 wrote to memory of 3956	988	winlogon.exe	150
PID 988 wrote to memory of 3956	988	winlogon.exe	150
PID 636 wrote to memory of 1564	636	WScript.exe	155
PID 636 wrote to memory of 1564	636	WScript.exe	155
PID 1564 wrote to memory of 3924	1564	winlogon.exe	156
PID 1564 wrote to memory of 3924	1564	winlogon.exe	156
PID 1564 wrote to memory of 1428	1564	winlogon.exe	157
PID 1564 wrote to memory of 1428	1564	winlogon.exe	157
PID 3924 wrote to memory of 4936	3924	WScript.exe	158
PID 3924 wrote to memory of 4936	3924	WScript.exe	158
PID 4936 wrote to memory of 3688	4936	winlogon.exe	159
PID 4936 wrote to memory of 3688	4936	winlogon.exe	159
PID 4936 wrote to memory of 2656	4936	winlogon.exe	160
PID 4936 wrote to memory of 2656	4936	winlogon.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
"C:\Users\Admin\AppData\Local\Temp\b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Users\All Users\Application Data\winlogon.exe
  "C:\Users\All Users\Application Data\winlogon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fae7dc-b794-4776-8d09-60b9179b5ccb.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\All Users\Application Data\winlogon.exe
      "C:\Users\All Users\Application Data\winlogon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0328031d-1650-4f51-9d30-00bfdbd949f4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Users\All Users\Application Data\winlogon.exe
        
        "C:\Users\All Users\Application Data\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3abcfc17-e196-4dd1-9de4-01ddd82aa92f.vbs"
        7⤵
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e2c8bd4-c75e-41dd-a4be-216b9434cf39.vbs"
        7⤵
        
        PID:2656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71d723b-27d1-4bdc-8d32-626072bd09bb.vbs"
        5⤵
        
        PID:1428
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d678f13-2596-47b6-9326-eae0f12407a8.vbs"
    3⤵
    PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Theme1\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Theme1\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Theme1\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe

Filesize
1.7MB

MD5
eaf077a02489a69f959663bdc4676c26

SHA1
538c115f739b703f460670bc8b2ee49c5de7b5fb

SHA256
c0ba895651452248ea0d8b80c1562c4805a8180b3a0a6beff596bc8b8d0dd0fd

SHA512
67178d117a11b4549a2d9a12e104cf4ac2f98d04463c8367c95a60dd671cc717745eb4e534cf81817510e1ffb75e4ccfc59b6dcec9867c9d4d1d82f679f13030

Download Submit
C:\ProgramData\winlogon.exe

Filesize
1.7MB

MD5
79e35cb4e139e232a7c66b9206062014

SHA1
78a65c4e34b372f73fe64a5ce1703f3b647189fc

SHA256
a58df5e3ad91af6686d4f7df263f974277e57a5310b561e8d708f62d06a3fd32

SHA512
b5040998bb55e1c6826c6f2963c71dd66828b7ca6332fac39b292b594e17212037e7d8988b7f7b44a0cbdc2137dae35a8979f801c3bf72838f026dc4d12c6edb

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.7MB

MD5
ad25b4b5cbfcd77be4094fb3576f4d81

SHA1
82fe306592d068602a13aeba04647aa36d6eba9b

SHA256
89ffea60633e9aa3e057d013d89a3caaa3aa4dae52abb9963bfc2ff994ee68af

SHA512
9e3d8d8c967317ea9d2b4c6375ef0f3ec46e4823a44b9e323fde7c9adc1d57109d67c0f9980240bedab142138b65c3e85e5d99af16bb93115f7afb8cf3a44497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0328031d-1650-4f51-9d30-00bfdbd949f4.vbs

Filesize
724B

MD5
41440475683bc3b2e1336b334312c503

SHA1
eb244d5af06c9ee4e7392f480eaeb93ac54fc60c

SHA256
3116bea0b8c1994b28edb0782e591c82760922ba04326b46c594846efbd7e695

SHA512
42209a580d1ef28b57f2118601d1e1d797c050840a8ffe02d1cec2881e94d1e6f883ada3c481ce479fb0179da9ac9b1e0cb80f7e46cca8df79288ccac43948f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d678f13-2596-47b6-9326-eae0f12407a8.vbs

Filesize
500B

MD5
30fd4c5c0c840e0874d1b0cd502e77c0

SHA1
d8948c43084bf9901dfbba29eedc408c69e6ed82

SHA256
edd40b139bf59ca516c310e78125ff1e5424e87474b9a4db2f7f5e52b63f910f

SHA512
b71b7a5a005d067987598f05e250dfbdaa24ee022f28d649c98fd289ded7b3d53beefbc422f352c398b67af9e01b1ac326fc0216a49f26742e61321009b0a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\3abcfc17-e196-4dd1-9de4-01ddd82aa92f.vbs

Filesize
724B

MD5
d0f02155d123035f3b351580ee1a190f

SHA1
677e1e5c775faf19e08512fa60db75d30df0f692

SHA256
9ffaddedf61dde4d500cb3092eaf78d56e75219c2b4aa18ddb94489da788f977

SHA512
b15986df3a513e7fb654eda3a750c13955a25a94b0749038c6afbb975b07ea78ecffc2c37c13e9469c257a5dc6f9038c70ed91b09a52f6a1c725c89ec96d88a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rreurfj.53h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4fae7dc-b794-4776-8d09-60b9179b5ccb.vbs

Filesize
723B

MD5
1e4c48e2704e0a071430f799dc30fc8c

SHA1
ff9cecb66a96f9734758ac4b1895bf1e05990313

SHA256
be3de2e7414f2f23e9a391594e3b84eafefadf6c98625fe8739de84475d4d311

SHA512
503c4b4bade9f77817bd23b24dc5b7deb01b39c2cb85092e25373ec0f1e3dbdc28874ee7962f089f2dc0d4e78ef9944047ecc6bda556494d74f08a2b6a2ada12

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\taskhostw.exe

Filesize
1.7MB

MD5
f76ca74e33bafa3f5661b1a4cf17edda

SHA1
8c14c5f0c0bc669afff455f41903b4b41e4fa342

SHA256
3c36e3b74e7d27373608cd57ccc9a982e042836f8bc06b9ce050af18557863ce

SHA512
4488da90d04f22b9e23d28b5992c1e7104801849c02b4804bc11815c9d2f213ec57e431e7317bda905ed67ac3f0a6713d287e930ae41d5c1fa38da5263f05288

Download Submit
C:\Windows\Help\en-US\fontdrvhost.exe

Filesize
1.7MB

MD5
626aa1febdec24c65eff133820be88cd

SHA1
68bdab58cdb0a18fe5dcd43d7a4e01857b9cfaa2

SHA256
288c9ed9246d8e5e1179514579b483cf808446895a88a6ded9790f97a4cb909f

SHA512
89dfd87522be252fdc971955101ce786ca48f8be01e3e48018f737e287429cfab4cf2fa4dec232e3709ed85e465ae31fb1654c8f879c32ed32729426f26b2c39

Download Submit
C:\Windows\ModemLogs\spoolsv.exe

Filesize
1.7MB

MD5
4cae83d07c6f99e6c32fe9c0b947a427

SHA1
b1859b445262389634fd1ab1bfdb942ccc6eb416

SHA256
9d9d7517687d7db084597d0ac8b2925298af321dcda71f4f7a405e2ba81417cf

SHA512
b4c28c3d8c4ad24d776c8219e4742087eff06e8529468c94e15bca331d8cf6cc2bf5dff15a328478f8ce85fc9a61aa5d6b1920e73e4b5101e81afcfdab70a878

Download Submit
C:\Windows\Web\Wallpaper\Theme1\fontdrvhost.exe

Filesize
1.7MB

MD5
56d660c11eaba52b06b10344f8f01f70

SHA1
0901888a67e7e2ffb61a3ed953c1c38995e941e8

SHA256
b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9

SHA512
847f6ff7c2eda0032c2e5aae696fcc6249760c9b43c404889762caf239317640ce6342d26960947037a5c36604108f9bdb457854b6fffd7ceb0e03564e6a3d02

Download Submit
memory/988-366-0x0000000000750000-0x0000000000910000-memory.dmp

Filesize
1.8MB

Download
memory/2804-12-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/2804-20-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2804-15-0x00000000028E0000-0x00000000028EA000-memory.dmp

Filesize
40KB

Download
memory/2804-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

Filesize
8KB

Download
memory/2804-16-0x000000001BA00000-0x000000001BA0E000-memory.dmp

Filesize
56KB

Download
memory/2804-17-0x000000001BA10000-0x000000001BA18000-memory.dmp

Filesize
32KB

Download
memory/2804-18-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/2804-14-0x0000000002880000-0x000000000288C000-memory.dmp

Filesize
48KB

Download
memory/2804-143-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

Filesize
8KB

Download
memory/2804-166-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2804-13-0x000000001BE30000-0x000000001C358000-memory.dmp

Filesize
5.2MB

Download
memory/2804-201-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2804-1-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2804-23-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2804-19-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/2804-367-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2804-10-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2804-9-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/2804-8-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/2804-5-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2804-7-0x0000000002710000-0x0000000002726000-memory.dmp

Filesize
88KB

Download
memory/2804-6-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2804-4-0x0000000002890000-0x00000000028E0000-memory.dmp

Filesize
320KB

Download
memory/2804-3-0x00000000026D0000-0x00000000026EC000-memory.dmp

Filesize
112KB

Download
memory/2804-2-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2904-258-0x0000019546B90000-0x0000019546BB2000-memory.dmp

Filesize
136KB

Download