dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Size

1.6MB
MD5

5355cb64d0008d7ed7267cebea8f9bc4
SHA1

4f8fc970efa45c2f547e8583b49eb543b778f001
SHA256

c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f
SHA512

cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5396	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	704	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	704	schtasks.exe	87

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/3036-1-0x00000000002F0000-0x0000000000492000-memory.dmp	dcrat
behavioral26/files/0x000700000002430e-26.dat	dcrat
behavioral26/files/0x000e00000002411f-59.dat	dcrat
behavioral26/files/0x000a000000024302-70.dat	dcrat
behavioral26/files/0x000f000000024307-117.dat	dcrat
behavioral26/memory/2296-273-0x0000000000130000-0x00000000002D2000-memory.dmp	dcrat
behavioral26/files/0x000a000000024326-408.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5740	powershell.exe
5864	powershell.exe
4160	powershell.exe
5492	powershell.exe
3428	powershell.exe
3740	powershell.exe
1544	powershell.exe
2732	powershell.exe
1180	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 16 IoCs

pid	Process
2296	fontdrvhost.exe
4172	fontdrvhost.exe
4440	fontdrvhost.exe
2836	fontdrvhost.exe
3216	fontdrvhost.exe
4940	fontdrvhost.exe
2004	fontdrvhost.exe
3924	fontdrvhost.exe
376	fontdrvhost.exe
4288	fontdrvhost.exe
5884	fontdrvhost.exe
5488	fontdrvhost.exe
3636	fontdrvhost.exe
4292	fontdrvhost.exe
5800	fontdrvhost.exe
3460	fontdrvhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXB4F9.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB2C5.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5b884080fd4f94	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB256.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXB4F8.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe
5020	schtasks.exe
4648	schtasks.exe
4768	schtasks.exe
4800	schtasks.exe
804	schtasks.exe
4820	schtasks.exe
4428	schtasks.exe
4196	schtasks.exe
4900	schtasks.exe
4856	schtasks.exe
5708	schtasks.exe
2516	schtasks.exe
448	schtasks.exe
3216	schtasks.exe
3848	schtasks.exe
4596	schtasks.exe
4836	schtasks.exe
5396	schtasks.exe
4728	schtasks.exe
4676	schtasks.exe
3432	schtasks.exe
4944	schtasks.exe
5488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
1544	powershell.exe
1544	powershell.exe
5740	powershell.exe
5740	powershell.exe
3740	powershell.exe
3740	powershell.exe
3428	powershell.exe
3428	powershell.exe
1180	powershell.exe
1180	powershell.exe
2732	powershell.exe
2732	powershell.exe
5864	powershell.exe
5864	powershell.exe
5492	powershell.exe
5492	powershell.exe
5864	powershell.exe
5740	powershell.exe
4160	powershell.exe
4160	powershell.exe
3740	powershell.exe
4160	powershell.exe
1544	powershell.exe
1180	powershell.exe
3428	powershell.exe
5492	powershell.exe
2732	powershell.exe
2296	fontdrvhost.exe
2296	fontdrvhost.exe
4172	fontdrvhost.exe
4440	fontdrvhost.exe
2836	fontdrvhost.exe
2836	fontdrvhost.exe
3216	fontdrvhost.exe
4940	fontdrvhost.exe
4940	fontdrvhost.exe
2004	fontdrvhost.exe
3924	fontdrvhost.exe
376	fontdrvhost.exe
4288	fontdrvhost.exe
5884	fontdrvhost.exe
5488	fontdrvhost.exe
3636	fontdrvhost.exe
3636	fontdrvhost.exe
4292	fontdrvhost.exe
4292	fontdrvhost.exe
5800	fontdrvhost.exe
3460	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2296	fontdrvhost.exe
Token: SeDebugPrivilege	4172	fontdrvhost.exe
Token: SeDebugPrivilege	4440	fontdrvhost.exe
Token: SeDebugPrivilege	2836	fontdrvhost.exe
Token: SeDebugPrivilege	3216	fontdrvhost.exe
Token: SeDebugPrivilege	4940	fontdrvhost.exe
Token: SeDebugPrivilege	2004	fontdrvhost.exe
Token: SeDebugPrivilege	3924	fontdrvhost.exe
Token: SeDebugPrivilege	376	fontdrvhost.exe
Token: SeDebugPrivilege	4288	fontdrvhost.exe
Token: SeDebugPrivilege	5884	fontdrvhost.exe
Token: SeDebugPrivilege	5488	fontdrvhost.exe
Token: SeDebugPrivilege	3636	fontdrvhost.exe
Token: SeDebugPrivilege	4292	fontdrvhost.exe
Token: SeDebugPrivilege	5800	fontdrvhost.exe
Token: SeDebugPrivilege	3460	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3740	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	116
PID 3036 wrote to memory of 3740	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	116
PID 3036 wrote to memory of 1544	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	117
PID 3036 wrote to memory of 1544	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	117
PID 3036 wrote to memory of 5740	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	118
PID 3036 wrote to memory of 5740	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	118
PID 3036 wrote to memory of 3428	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	119
PID 3036 wrote to memory of 3428	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	119
PID 3036 wrote to memory of 1180	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	120
PID 3036 wrote to memory of 1180	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	120
PID 3036 wrote to memory of 2732	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	121
PID 3036 wrote to memory of 2732	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	121
PID 3036 wrote to memory of 5492	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	122
PID 3036 wrote to memory of 5492	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	122
PID 3036 wrote to memory of 4160	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	123
PID 3036 wrote to memory of 4160	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	123
PID 3036 wrote to memory of 5864	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	125
PID 3036 wrote to memory of 5864	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	125
PID 3036 wrote to memory of 2296	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	134
PID 3036 wrote to memory of 2296	3036	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	134
PID 2296 wrote to memory of 2608	2296	fontdrvhost.exe	136
PID 2296 wrote to memory of 2608	2296	fontdrvhost.exe	136
PID 2296 wrote to memory of 4852	2296	fontdrvhost.exe	137
PID 2296 wrote to memory of 4852	2296	fontdrvhost.exe	137
PID 2608 wrote to memory of 4172	2608	WScript.exe	139
PID 2608 wrote to memory of 4172	2608	WScript.exe	139
PID 4172 wrote to memory of 2980	4172	fontdrvhost.exe	140
PID 4172 wrote to memory of 2980	4172	fontdrvhost.exe	140
PID 4172 wrote to memory of 6140	4172	fontdrvhost.exe	141
PID 4172 wrote to memory of 6140	4172	fontdrvhost.exe	141
PID 2980 wrote to memory of 4440	2980	WScript.exe	142
PID 2980 wrote to memory of 4440	2980	WScript.exe	142
PID 4440 wrote to memory of 2620	4440	fontdrvhost.exe	144
PID 4440 wrote to memory of 2620	4440	fontdrvhost.exe	144
PID 4440 wrote to memory of 1264	4440	fontdrvhost.exe	145
PID 4440 wrote to memory of 1264	4440	fontdrvhost.exe	145
PID 2620 wrote to memory of 2836	2620	WScript.exe	148
PID 2620 wrote to memory of 2836	2620	WScript.exe	148
PID 2836 wrote to memory of 2276	2836	fontdrvhost.exe	150
PID 2836 wrote to memory of 2276	2836	fontdrvhost.exe	150
PID 2836 wrote to memory of 5168	2836	fontdrvhost.exe	151
PID 2836 wrote to memory of 5168	2836	fontdrvhost.exe	151
PID 2276 wrote to memory of 3216	2276	WScript.exe	156
PID 2276 wrote to memory of 3216	2276	WScript.exe	156
PID 3216 wrote to memory of 3428	3216	fontdrvhost.exe	157
PID 3216 wrote to memory of 3428	3216	fontdrvhost.exe	157
PID 3216 wrote to memory of 3344	3216	fontdrvhost.exe	158
PID 3216 wrote to memory of 3344	3216	fontdrvhost.exe	158
PID 3428 wrote to memory of 4940	3428	WScript.exe	159
PID 3428 wrote to memory of 4940	3428	WScript.exe	159
PID 4940 wrote to memory of 456	4940	fontdrvhost.exe	160
PID 4940 wrote to memory of 456	4940	fontdrvhost.exe	160
PID 4940 wrote to memory of 3356	4940	fontdrvhost.exe	161
PID 4940 wrote to memory of 3356	4940	fontdrvhost.exe	161
PID 456 wrote to memory of 2004	456	WScript.exe	162
PID 456 wrote to memory of 2004	456	WScript.exe	162
PID 2004 wrote to memory of 5412	2004	fontdrvhost.exe	163
PID 2004 wrote to memory of 5412	2004	fontdrvhost.exe	163
PID 2004 wrote to memory of 4476	2004	fontdrvhost.exe	164
PID 2004 wrote to memory of 4476	2004	fontdrvhost.exe	164
PID 5412 wrote to memory of 3924	5412	WScript.exe	165
PID 5412 wrote to memory of 3924	5412	WScript.exe	165
PID 3924 wrote to memory of 2028	3924	fontdrvhost.exe	166
PID 3924 wrote to memory of 2028	3924	fontdrvhost.exe	166

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
"C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4115b75d-21d2-4945-a8a7-caedfff0955b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\366ce6bf-b2c4-4e3d-812f-34a5fba3d5b9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe01e0e-8c45-4da7-905a-072e1f066192.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccbd3e5d-c2d0-466b-87f5-5daa220e6b82.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a62dffc3-b5d5-4000-bba7-162c7d5f13ea.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e46e3304-4243-4e8f-87c7-100ca1c48e84.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4de8100-d67d-467d-bbaa-b3fa54a134a8.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a46fe35-a0ed-4e6f-b2af-100c6df2780d.vbs"
        17⤵
        
        PID:2028
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f71db9e1-a406-4228-9951-66516eb50335.vbs"
        19⤵
        
        PID:4348
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f345868-6cb2-46bf-889c-05f68ab2c0ae.vbs"
        21⤵
        
        PID:3240
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\746e786c-cd2a-4e9c-94b2-cf3784689876.vbs"
        23⤵
        
        PID:4152
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88cebe0-1ca6-4b01-b3c7-fca3c65f920f.vbs"
        25⤵
        
        PID:1216
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3e06d-24a9-40d0-b2d3-e8a1332d5703.vbs"
        27⤵
        
        PID:3832
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd14ad1-3fc3-49e1-b1f8-fb9dd529ef25.vbs"
        29⤵
        
        PID:4336
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f606452-424d-4400-bd16-20f87c2e274f.vbs"
        31⤵
        
        PID:5272
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee022ca0-5d07-4e40-b0cd-e3c998786264.vbs"
        33⤵
        
        PID:5760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ad84c9-b306-44f9-9caf-ea9115a82df6.vbs"
        33⤵
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07336ef7-f95d-455b-bf1c-bb95cc8ba4a8.vbs"
        31⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ea80e16-94e6-497e-ab7f-7cc9c453caa5.vbs"
        29⤵
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac6fbebb-9ca7-45e3-b558-ce6502d519b3.vbs"
        27⤵
        
        PID:5056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ad36e9f-9340-40cb-b35d-b56d95ae3d92.vbs"
        25⤵
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d94629-095c-4345-ae5a-354e8429b19e.vbs"
        23⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2eac49d5-cba6-496d-983d-8b963031e72f.vbs"
        21⤵
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\349bca5d-71d1-4244-8735-05714836a73f.vbs"
        19⤵
        
        PID:6016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a32c59a-1839-46b2-b148-52f30b32a02e.vbs"
        17⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e0844a6-f5e2-4775-8fd7-85a63477aa06.vbs"
        15⤵
        
        PID:4476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47aa55d2-d588-4763-9654-9c13f07fadbb.vbs"
        13⤵
        
        PID:3356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b09fa995-8354-4597-9cf8-a62920f49cde.vbs"
        11⤵
        
        PID:3344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e549a68f-76ac-4469-a2c7-c8d03bce56f7.vbs"
        9⤵
        
        PID:5168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c00174a-22e3-4417-8ead-7977d8975f58.vbs"
        7⤵
        
        PID:1264
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576016ea-d712-4142-afa0-b1a5754db0f7.vbs"
        5⤵
        
        PID:6140
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c64b487-0c19-4e2a-957e-06c255c842c0.vbs"
    3⤵
    PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\f170d29a37c9c9775251\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe

Filesize
1.6MB

MD5
73a8f787c7bcb2d59119b01e3a9733d8

SHA1
117394399cf6520a3108a6b7c2191d141dca8b69

SHA256
1c278050f5a3cd57862eb55cfe0046fca016f8bb88749237a6a1d196e322cdd5

SHA512
16828b22dcdd79486d6a5100fd3e6fac594d357c2c461d091a3ead022e5bf3c0d95752887dbebaf8098d7d7d0abddb8fce13adf77dad882311e2851a1b061b89

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.6MB

MD5
4b47df9ca947a346231419d8697bbc48

SHA1
098bd95f7e2b9c5b6900c2fcf899196f769c8233

SHA256
c5128175710e25cdce9fd2f9fac79c8391ddd3149ad6b319cfbc9bf83e8b2aad

SHA512
8934e45ae8d73e869a0bdafc560f1637bcd87ae5e758b838713e3d9c9da1f71d1aaf95db58773c26801c76cd9156195d216a874bab9afa118eb30a2d2adeb97d

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
1.6MB

MD5
5355cb64d0008d7ed7267cebea8f9bc4

SHA1
4f8fc970efa45c2f547e8583b49eb543b778f001

SHA256
c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f

SHA512
cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.6MB

MD5
db6ed9cc1f0790f1505395dcdb037709

SHA1
82b27b06b997fbc0f7d5c6f8cd9ce0a8944b16fd

SHA256
e3b9eb281476ea88e0b46b13cc6c032dcfa29a5c09096508e8722a7ffc44740c

SHA512
c2ef38de492b01e55e03dd9003b987ba9109a4034dabb63eb11b9efcf3677797378d0ecca4424a6b464dcd8553119d3c6d8051c7f7c56b367521c053aee7eb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
71fa55c67a762ba70e40011153e19b3c

SHA1
a36d2bb4802a8ec7db1a68de5f0c3d6007987492

SHA256
b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291

SHA512
32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba8a00bf6995531451ca4ff43fecb0b9

SHA1
b590fcea37aded3a4b083ec2d39252fe10b97a61

SHA256
0211a4649daa040751a5aa8f42a3a677da906daf541fed80c2aa19c5f77e9a60

SHA512
e0cfd06cca6fca6d1b742ecc354c2dd9c0e72ab456525086c2af388cb533ff5baae6ff83fa4347dfbc28edc1a2c1b97ef986c2923af9634fd6d967e913fbfc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4021b258cd26ad91b3208444aca2f1

SHA1
617431aae43c616ecb3680101f01939d427479ef

SHA256
64edd4e5aafb2dd9117768e239f4368bc2a224de1ec5103a13d80f68ae74c00e

SHA512
5ede51408ee2b94b3d5e9cb192f59bff2ce7521d1f6704141ca40ff1d09b39700bf70b0e482ab55f45e206e0f73b215a2a6bff5e455e5916d2e35aa5122a3af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c8fd95453fe0d2e0f6d8e5ac03994b1

SHA1
d9811cf9d2b0d0ce3387fd79462cd592b005a634

SHA256
232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58

SHA512
f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a46fe35-a0ed-4e6f-b2af-100c6df2780d.vbs

Filesize
713B

MD5
6294314b462bcffcf54256c059266533

SHA1
696d866a16b09b73d4db7a4a383dd6166cc6a92f

SHA256
f1aaddb8537ea5d0823417b03bd387efffb37fa3bceceb444a4761ea27f48654

SHA512
f8d20a3cb28fab252cc8dc1c2260cd8b5992da34b6bb65257d323dad43f5d710f247689df5f7550e8216266173de7d921940dc56afe6300b35b48f19104014ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f345868-6cb2-46bf-889c-05f68ab2c0ae.vbs

Filesize
713B

MD5
33eaf50ca1ea2b5864b080761e5a8732

SHA1
e4643bdb346e2583613e58a607b59f38c296b57e

SHA256
3ee52ebb2cfa9b6d1e53242e2c30085ec384b0f20e78445ec903ba507fd58361

SHA512
57af7399719fb6ad4dfc5a8f86c7725b03f9824c91c9c6bade64aaec356983301edda3b01ba7c429de412af647036a4dd877b6c7dad25e676bf6155d7183cd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\366ce6bf-b2c4-4e3d-812f-34a5fba3d5b9.vbs

Filesize
713B

MD5
d9f0a05f285e18a82ae05696efddff0f

SHA1
66f5647a24d4b5b05bda2505ef8a1682d2766e1f

SHA256
ea098afa4b68452c7a3c3aea82ae0e1847863446911f7fd26095438331ac4d46

SHA512
7a8064f56c94f9ec62e9f2f17d8c81dfe24af0306526e023221449a4e48e6794445a1fb16340791162f1ab1c48138f2a89fde4013e7a3b475946db575ce3bc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4115b75d-21d2-4945-a8a7-caedfff0955b.vbs

Filesize
713B

MD5
3b652d52e96baa27a7651f1efd91d48a

SHA1
8ecff26b237173f2dab7bb95281d77f9fc7844e8

SHA256
61d5a0797dc1c4a25b7bf72c0a2f66d9bda97668d761f0d572378c5ea95fe7c3

SHA512
380418f4b06550658056aa85886553fe4abe27ff3837004e702b3773456942ab1b4ff2361a3abaa51841fc7f3d270a46b44f849a2da9045cab4aecb5eb620b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fe01e0e-8c45-4da7-905a-072e1f066192.vbs

Filesize
713B

MD5
833553137113e10568d5c43e7e4ea204

SHA1
7672ef002ae16392baf43232be91b63f1d47d2ec

SHA256
5a6335a805e33f700a9e014e97e639c41862ffe03725f532aaea8bc4f9ced86a

SHA512
373e56491fcea7a781af3b48fff9218d4a2bd6a9ea63999ad61549ce507922841c26719cf4501f0e2dd4c8230293f5d6622e9acd424bc1d15b7d66ae4305be0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c64b487-0c19-4e2a-957e-06c255c842c0.vbs

Filesize
489B

MD5
f0e2d7a95dbe12a62c7234b9de697d1a

SHA1
eb8dc3bdc969424afb8d4e481234767cb325dcce

SHA256
20551d407aa54821861fd80bba7e947639cc982d36493cae0337c0a273ae5d0d

SHA512
d13f6392d4c6802f7ec51ed7e1c3e539e82621316b15ed0e028a48e39d832b8baa7b1c0bc50f72effc9c8eeff214ca58b0fac21bfec31e2ca22a259f04001762

Download Submit
C:\Users\Admin\AppData\Local\Temp\746e786c-cd2a-4e9c-94b2-cf3784689876.vbs

Filesize
713B

MD5
a57fbae888ad73f7543909c164edd9fd

SHA1
1309339148306eb099314b0225aef87081ac072f

SHA256
58b6ade1b998db2c04c965bb965e27eabeb338bf6687c722f55981a15f564322

SHA512
b45482ff403abd19cee1f38ff50b89040461a4b6cf5268618409932ebadaa57518865c2225ea896054935771e45e6e4784a5988eff121cc1cf2414eb4a38368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\83d3e06d-24a9-40d0-b2d3-e8a1332d5703.vbs

Filesize
713B

MD5
d61d8dc957c25860fd4f62686c35f1fd

SHA1
a1f653e0e9e735781716ba1c2977d84cf73d1008

SHA256
1c7706cb63e86bfa1bca91c7b6d9bb2df80602c765f54482e5febdedab9cff8b

SHA512
5f58348b918c7f57da25c2c4bd253d5c7a1d83474d734b070e597d14c966d5c970c545a78240ce574f018679ea3a6e0b62dd6242fb71f911052f6f34fc1b3d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfgjr5bh.qq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a62dffc3-b5d5-4000-bba7-162c7d5f13ea.vbs

Filesize
713B

MD5
b7f9938f734e90aa69f9d18463616b43

SHA1
00579daf19ac39c6098ab242edd2d0c010ce2c76

SHA256
f4cf5f8431b3f6387ecf7daec964af1961b6eaefbefe8bd7c528988a6943effb

SHA512
9e5693ac12dd464539e54edbdd2e7e09dcc8c1981f2bbac7d4d45e0e153a25d5b5419b8b42c4f65089752a91fae3f3641ef3e5e76bdffb1b13884d0574cb64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccbd3e5d-c2d0-466b-87f5-5daa220e6b82.vbs

Filesize
713B

MD5
ef4e35db208ff9a4b0f4bf8d2e7cfc12

SHA1
23f56327d0a6d180c92d98ba5ca222d42ad153c2

SHA256
a579926dedccec80ebcdecfe712b69b0e90fdf5461bb7c24aedbe0e1b8502955

SHA512
e6cb9dc4ccc4c0c8990c9b36eb068b04b006a9ec63860c934eaf2cb418b13f4a3bfc007b4707c658bcdb14a7e38f54555641e8920c607dba80e97061cd82fdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4de8100-d67d-467d-bbaa-b3fa54a134a8.vbs

Filesize
713B

MD5
494a83e233e9ca71c489332be03a0b99

SHA1
fcc14a5c93dae1ec0ac9e32ce02a978e3b2dcfdc

SHA256
e0d87c29f56e5fd2aeb414e3e58ef19e52649cfa0600e32b1cf281361840968a

SHA512
98b8209c3c3a4e671f9730ac331ac3521b3b6db91120c0d4ca7e9bfecaa5344b9bb5962357365318ef1163129c961561a0b1d37a21e5e7ad2357933c393e9edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e46e3304-4243-4e8f-87c7-100ca1c48e84.vbs

Filesize
713B

MD5
e7519387c92a3e7ba0dc8e4097304ae0

SHA1
014c0f9d52399458e54b1abe4ccb60ba78b78fb5

SHA256
e2e10413701cfce88386ae6f6a96a98567f286ab663f9e607b487ef2e247b892

SHA512
f5440754d589c7cca3666c9facd3f34a5b02b5f163a8d81f51fe4a3acb1d327227db489559f7f85658821730b188ad19f096712e1393fd951c2cbe84c4f4b75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e88cebe0-1ca6-4b01-b3c7-fca3c65f920f.vbs

Filesize
713B

MD5
a1012385dfc6ed37e4f4808fca507bc2

SHA1
c11702b6f970f812074dda913524c5f9b79a8493

SHA256
1886e8dc995227efe4ba696976a2c72d84fd428d2b0d67e60c02e276fe9d7f7b

SHA512
c668961d50bc434115660e132b75d64e49e77282badbd550bc21f95d494ea6fbb088ca8815bf068ce921aada45c39799ca752eed5cfa64dc1af2517917e994b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5a120477f54a1127022ade7edd174140348904a.exe

Filesize
1.6MB

MD5
647809a5de5a8b7d2a0c37acb44019c6

SHA1
efca27c3a1a7e3620c9e378b7c2eb8aa58aa4e1c

SHA256
ef52b4bdff8d3cfcdb40917554211eae66c04265e1a15894e56dc052b60036d2

SHA512
8ca4f2bd3f41e525bf0dadb66615cd90f83b8a7e4c558c8b4be1d3f7307366367d3b9d2c91c5042877adb1a28e78bd6e84b7a49ad43ec7a7032725bb7d67f75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f71db9e1-a406-4228-9951-66516eb50335.vbs

Filesize
712B

MD5
d09b2ee592283b443967caed0cd4010e

SHA1
6f6f5ac04e7b640adb3665ef1f1d44903364a848

SHA256
bb0148cf37924a0b47a0c19c4901222d3e4f0ceb92369c8b338e5d47b762c300

SHA512
92240aa0b9a9580942f141d4efe0cd17f2f047e20adcd5e5bf76802ae796739ce5f11a4e57e3987150168d058d8fff3186a3fa0865f6d62127b6a6fec6a1d59a

Download Submit
memory/2296-273-0x0000000000130000-0x00000000002D2000-memory.dmp

Filesize
1.6MB

Download
memory/3036-10-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/3036-0-0x00007FFF3ADA3000-0x00007FFF3ADA5000-memory.dmp

Filesize
8KB

Download
memory/3036-1-0x00000000002F0000-0x0000000000492000-memory.dmp

Filesize
1.6MB

Download
memory/3036-16-0x000000001B830000-0x000000001B83A000-memory.dmp

Filesize
40KB

Download
memory/3036-17-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/3036-14-0x000000001B810000-0x000000001B818000-memory.dmp

Filesize
32KB

Download
memory/3036-15-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/3036-12-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

Filesize
40KB

Download
memory/3036-11-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/3036-13-0x000000001B800000-0x000000001B80E000-memory.dmp

Filesize
56KB

Download
memory/3036-8-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/3036-9-0x000000001B700000-0x000000001B708000-memory.dmp

Filesize
32KB

Download
memory/3036-274-0x00007FFF3ADA0000-0x00007FFF3B861000-memory.dmp

Filesize
10.8MB

Download
memory/3036-7-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

Filesize
32KB

Download
memory/3036-6-0x000000001B6D0000-0x000000001B6E6000-memory.dmp

Filesize
88KB

Download
memory/3036-5-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3036-4-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/3036-3-0x0000000002570000-0x000000000258C000-memory.dmp

Filesize
112KB

Download
memory/3036-2-0x00007FFF3ADA0000-0x00007FFF3B861000-memory.dmp

Filesize
10.8MB

Download
memory/5864-180-0x000001E6EC560000-0x000001E6EC582000-memory.dmp

Filesize
136KB

Download