dcrat | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
Size

885KB
MD5

7f653aa47f3ef4d091f38ed9e5dcc6d4
SHA1

68ec9ab071cd6429ff3da60901ca80b283a7943a
SHA256

91e17c8d5d7f65ef395f929f499b1d53eeabdc4cb909a3bb5eeeea0e470214c1
SHA512

3622e31c5d688dbb7b247a0d43d7ea0f06b7710a1b92ef176c7c0a137b08bbb3b976ac7aced4bec393107c88a8d851d4073d793d56b3c4b6d69dd028265f357d
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5308	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5540	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6132	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5352	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5936	5076	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	5076	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/2376-1-0x0000000000610000-0x00000000006F4000-memory.dmp	dcrat
behavioral18/files/0x00070000000241eb-19.dat	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 16 IoCs

pid	Process
2232	sihost.exe
5804	sihost.exe
2920	sihost.exe
2956	sihost.exe
5168	sihost.exe
3052	sihost.exe
5680	sihost.exe
2492	sihost.exe
3640	sihost.exe
5800	sihost.exe
3360	sihost.exe
3724	sihost.exe
3252	sihost.exe
5328	sihost.exe
5896	sihost.exe
5652	sihost.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX75EC.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCX75ED.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\edge_BITS_4736_1164877528\RCX75FE.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\edge_BITS_4736_1164877528\TextInputHost.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX75A7.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\edge_BITS_4736_1164877528\RCX75EE.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\0e1076e341df94	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sihost.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\66fc9ff0ee96c2	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\edge_BITS_4736_1164877528\22eafd247d37c3	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX75A8.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\RCX7634.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\Fonts\RCX7645.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCX7667.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCX7687.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\Fonts\Registry.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\Fonts\ee2ad38f3d4382	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\eddb19405b7ce1	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4212	schtasks.exe
4924	schtasks.exe
4000	schtasks.exe
1020	schtasks.exe
448	schtasks.exe
1388	schtasks.exe
1680	schtasks.exe
4900	schtasks.exe
4396	schtasks.exe
1504	schtasks.exe
1304	schtasks.exe
3764	schtasks.exe
4160	schtasks.exe
4344	schtasks.exe
6132	schtasks.exe
2040	schtasks.exe
1296	schtasks.exe
4540	schtasks.exe
6108	schtasks.exe
5476	schtasks.exe
5804	schtasks.exe
5528	schtasks.exe
5884	schtasks.exe
5540	schtasks.exe
1204	schtasks.exe
5696	schtasks.exe
1840	schtasks.exe
5324	schtasks.exe
3144	schtasks.exe
3196	schtasks.exe
5112	schtasks.exe
664	schtasks.exe
1576	schtasks.exe
3796	schtasks.exe
5000	schtasks.exe
1800	schtasks.exe
5044	schtasks.exe
736	schtasks.exe
1180	schtasks.exe
5352	schtasks.exe
3808	schtasks.exe
5308	schtasks.exe
4980	schtasks.exe
4744	schtasks.exe
1936	schtasks.exe
2176	schtasks.exe
3272	schtasks.exe
5936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2232	sihost.exe
5804	sihost.exe
2920	sihost.exe
2956	sihost.exe
2956	sihost.exe
5168	sihost.exe
5168	sihost.exe
3052	sihost.exe
3052	sihost.exe
5680	sihost.exe
5680	sihost.exe
2492	sihost.exe
2492	sihost.exe
3640	sihost.exe
5800	sihost.exe
3360	sihost.exe
3724	sihost.exe
3252	sihost.exe
5328	sihost.exe
5328	sihost.exe
5896	sihost.exe
5896	sihost.exe
5652	sihost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
Token: SeDebugPrivilege	2232	sihost.exe
Token: SeDebugPrivilege	5804	sihost.exe
Token: SeDebugPrivilege	2920	sihost.exe
Token: SeDebugPrivilege	2956	sihost.exe
Token: SeDebugPrivilege	5168	sihost.exe
Token: SeDebugPrivilege	3052	sihost.exe
Token: SeDebugPrivilege	5680	sihost.exe
Token: SeDebugPrivilege	2492	sihost.exe
Token: SeDebugPrivilege	3640	sihost.exe
Token: SeDebugPrivilege	5800	sihost.exe
Token: SeDebugPrivilege	3360	sihost.exe
Token: SeDebugPrivilege	3724	sihost.exe
Token: SeDebugPrivilege	3252	sihost.exe
Token: SeDebugPrivilege	5328	sihost.exe
Token: SeDebugPrivilege	5896	sihost.exe
Token: SeDebugPrivilege	5652	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4668	2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe	137
PID 2376 wrote to memory of 4668	2376	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe	137
PID 4668 wrote to memory of 5780	4668	cmd.exe	139
PID 4668 wrote to memory of 5780	4668	cmd.exe	139
PID 4668 wrote to memory of 2232	4668	cmd.exe	143
PID 4668 wrote to memory of 2232	4668	cmd.exe	143
PID 2232 wrote to memory of 4804	2232	sihost.exe	145
PID 2232 wrote to memory of 4804	2232	sihost.exe	145
PID 2232 wrote to memory of 5296	2232	sihost.exe	146
PID 2232 wrote to memory of 5296	2232	sihost.exe	146
PID 4804 wrote to memory of 5804	4804	WScript.exe	149
PID 4804 wrote to memory of 5804	4804	WScript.exe	149
PID 5804 wrote to memory of 4920	5804	sihost.exe	150
PID 5804 wrote to memory of 4920	5804	sihost.exe	150
PID 5804 wrote to memory of 3780	5804	sihost.exe	151
PID 5804 wrote to memory of 3780	5804	sihost.exe	151
PID 4920 wrote to memory of 2920	4920	WScript.exe	152
PID 4920 wrote to memory of 2920	4920	WScript.exe	152
PID 2920 wrote to memory of 3384	2920	sihost.exe	153
PID 2920 wrote to memory of 3384	2920	sihost.exe	153
PID 2920 wrote to memory of 5184	2920	sihost.exe	154
PID 2920 wrote to memory of 5184	2920	sihost.exe	154
PID 3384 wrote to memory of 2956	3384	WScript.exe	165
PID 3384 wrote to memory of 2956	3384	WScript.exe	165
PID 2956 wrote to memory of 3768	2956	sihost.exe	166
PID 2956 wrote to memory of 3768	2956	sihost.exe	166
PID 2956 wrote to memory of 5600	2956	sihost.exe	167
PID 2956 wrote to memory of 5600	2956	sihost.exe	167
PID 3768 wrote to memory of 5168	3768	WScript.exe	168
PID 3768 wrote to memory of 5168	3768	WScript.exe	168
PID 5168 wrote to memory of 4848	5168	sihost.exe	169
PID 5168 wrote to memory of 4848	5168	sihost.exe	169
PID 5168 wrote to memory of 4592	5168	sihost.exe	170
PID 5168 wrote to memory of 4592	5168	sihost.exe	170
PID 4848 wrote to memory of 3052	4848	WScript.exe	171
PID 4848 wrote to memory of 3052	4848	WScript.exe	171
PID 3052 wrote to memory of 2988	3052	sihost.exe	172
PID 3052 wrote to memory of 2988	3052	sihost.exe	172
PID 3052 wrote to memory of 5136	3052	sihost.exe	173
PID 3052 wrote to memory of 5136	3052	sihost.exe	173
PID 2988 wrote to memory of 5680	2988	WScript.exe	174
PID 2988 wrote to memory of 5680	2988	WScript.exe	174
PID 5680 wrote to memory of 5796	5680	sihost.exe	175
PID 5680 wrote to memory of 5796	5680	sihost.exe	175
PID 5680 wrote to memory of 2828	5680	sihost.exe	176
PID 5680 wrote to memory of 2828	5680	sihost.exe	176
PID 5796 wrote to memory of 2492	5796	WScript.exe	178
PID 5796 wrote to memory of 2492	5796	WScript.exe	178
PID 2492 wrote to memory of 1660	2492	sihost.exe	179
PID 2492 wrote to memory of 1660	2492	sihost.exe	179
PID 2492 wrote to memory of 5536	2492	sihost.exe	180
PID 2492 wrote to memory of 5536	2492	sihost.exe	180
PID 1660 wrote to memory of 3640	1660	WScript.exe	181
PID 1660 wrote to memory of 3640	1660	WScript.exe	181
PID 3640 wrote to memory of 3456	3640	sihost.exe	182
PID 3640 wrote to memory of 3456	3640	sihost.exe	182
PID 3640 wrote to memory of 5372	3640	sihost.exe	183
PID 3640 wrote to memory of 5372	3640	sihost.exe	183
PID 3456 wrote to memory of 5800	3456	WScript.exe	184
PID 3456 wrote to memory of 5800	3456	WScript.exe	184
PID 5800 wrote to memory of 5520	5800	sihost.exe	185
PID 5800 wrote to memory of 5520	5800	sihost.exe	185
PID 5800 wrote to memory of 4024	5800	sihost.exe	186
PID 5800 wrote to memory of 4024	5800	sihost.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
"C:\Users\Admin\AppData\Local\Temp\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RehPSk1Cs7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5780
- - C:\Recovery\WindowsRE\sihost.exe
    "C:\Recovery\WindowsRE\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c71a2ef-dace-46f7-8055-2be7c55e8572.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5804
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f74baf-05d0-400a-b1fb-052313fe20bc.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473dc452-cdaf-4dd4-8dbb-e2166b808f83.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af83efc0-b7fe-4630-acc8-75263898cb58.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25ef0388-96ee-488c-abdd-fd69557e032e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f735e4-721c-4448-ad41-6544c26bb443.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\200a7cfc-2ce0-479b-a800-24f78c079e05.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5796
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcbcb99-a73e-4321-900f-2124fbbf8f9c.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eba94d30-79ea-4fdd-9c2a-e6734427ccbc.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\205fb270-d9a9-4981-ae0b-d63ffaf1292c.vbs"
        22⤵
        
        PID:5520
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39af05ec-b68f-46f4-b315-e2bc25c59b63.vbs"
        24⤵
        
        PID:1420
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7878d991-3154-43df-bae7-b07875e94d74.vbs"
        26⤵
        
        PID:5316
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1b73db-2cf3-400c-9544-07730280b15c.vbs"
        28⤵
        
        PID:5028
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e08622a-2a37-42bd-a304-6c5f447c429b.vbs"
        30⤵
        
        PID:4980
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a7a5ee7-688a-46ce-832f-12c0104f1e68.vbs"
        32⤵
        
        PID:3932
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef26e456-db36-44f6-ac8e-2bb14ee06ac2.vbs"
        32⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52de8d42-7173-4ed7-8bdc-f9876e332072.vbs"
        30⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\935d2d97-8c5b-468b-846a-43c2ffac477c.vbs"
        28⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd24582c-c361-45aa-b562-670565fe07f6.vbs"
        26⤵
        
        PID:5288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2da46022-72bd-4acd-a24d-07d46fd5bac1.vbs"
        24⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe524aee-86ec-40ce-9024-75f76a96ff7e.vbs"
        22⤵
        
        PID:4024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfbb3caf-0aed-4935-9a18-b91f847b119c.vbs"
        20⤵
        
        PID:5372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d42e62-1ea5-42c4-848a-068d0889305b.vbs"
        18⤵
        
        PID:5536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16a95fe2-69f5-4612-a983-d820d1bde56a.vbs"
        16⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcc2aab1-078b-43b4-be27-dda2e7b97468.vbs"
        14⤵
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4496fe8-ab9b-49d8-8cae-57b2113fb166.vbs"
        12⤵
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79aadca-bd23-411f-885f-d0a731093f29.vbs"
        10⤵
        
        PID:5600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca43abd1-dd64-4c90-b474-1aa95af3ca79.vbs"
        8⤵
        
        PID:5184
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ec484e0-7f57-49e7-80e3-61de1fc7ce90.vbs"
        6⤵
        
        PID:3780
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ac19d65-95d8-42a8-b77a-37e92e0766a1.vbs"
      4⤵
      PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Contacts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d47" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d4" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d47" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\34c553de294c1d56d0a800105b\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\34c553de294c1d56d0a800105b\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d47" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d4" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d47" /sc MINUTE /mo 6 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4736_1164877528\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4736_1164877528\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4736_1164877528\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

Filesize
885KB

MD5
7f653aa47f3ef4d091f38ed9e5dcc6d4

SHA1
68ec9ab071cd6429ff3da60901ca80b283a7943a

SHA256
91e17c8d5d7f65ef395f929f499b1d53eeabdc4cb909a3bb5eeeea0e470214c1

SHA512
3622e31c5d688dbb7b247a0d43d7ea0f06b7710a1b92ef176c7c0a137b08bbb3b976ac7aced4bec393107c88a8d851d4073d793d56b3c4b6d69dd028265f357d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e08622a-2a37-42bd-a304-6c5f447c429b.vbs

Filesize
708B

MD5
d20a38c2b12a9e43b0e4f84ecfd5fd5c

SHA1
f0a7ed2be4ce925a25551f9fe745c95a489df38a

SHA256
a788395ee68df30b470aa3fde7db69482069b6a3eab705121b4f8fadda38cc2c

SHA512
32e5ac2ecadf238db6d0460844fbd96394098061f10a2f04954ef00a82139375d298f61f9b786fd39b77b5a7447e17b1c206d6b868d3794347e0eb2b75076d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\200a7cfc-2ce0-479b-a800-24f78c079e05.vbs

Filesize
708B

MD5
7406318cac0b085f54a223fc3e6067a4

SHA1
85d93ab9a1abd608c41b83f71970497f2c6636f5

SHA256
df7d6677974b97ec6d91044412d916fda4c8fc868db9ece6dbb76c24696980d7

SHA512
fa2d13b161418b4a799b6c0578231d6e2032ff4dd072a53fd91d3930dc2636bcad8a1994dc647bee63fdb5bbfb093ea484a4faf9b88b939a46f239afdd05ac3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\205fb270-d9a9-4981-ae0b-d63ffaf1292c.vbs

Filesize
708B

MD5
1b0729ecd80a24c494b6ceb92f1a1243

SHA1
14cc14632fb1433c20f8ef354ba3defe04273ec1

SHA256
276299fb9edebd12994ebf6a4d70f1b9b440f8489b6a48e1cb720b87d8a89c39

SHA512
b44ca35f39dbf53d6abe2a8e022f999c81cd24c0769b4b9867e8c62cb70f01ab2870d894fe7dc609b173e0a263cb3acab92dba575a0a3e70ee9e7ee65298343f

Download Submit
C:\Users\Admin\AppData\Local\Temp\25ef0388-96ee-488c-abdd-fd69557e032e.vbs

Filesize
708B

MD5
dfefccc6816d8926957f7ec908b04e7e

SHA1
e4c8b526b5658bddd58026c8df013c5f30e59a3e

SHA256
4d028dc6c20940a0a2996cdbf417b3744e18e27ac7fc64830c5d520554c83d2c

SHA512
5afbe4da75a49ad1083ce32ded68bfbd1551e392fdedd8c802dc56c92111b1ed4fef967d2dd041a986237d3362e90149ffafb6bb990a16c96a6fb920bce75b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\39af05ec-b68f-46f4-b315-e2bc25c59b63.vbs

Filesize
708B

MD5
537314eac216f1917c917140062bb967

SHA1
a73293773f3be6a53a64ea534cc967884d810a77

SHA256
4e909d50eeeb19e5eb57c5677314ff3f1b4db5e2c81bd15fcf0febbccb6656eb

SHA512
6a4103a9020c23938369240b327452c8c46892ea654de24de85b4591aa7702fd2a41271f82b772e2b5df481691ca351ccfce6423067a1c66127ca8869668d247

Download Submit
C:\Users\Admin\AppData\Local\Temp\473dc452-cdaf-4dd4-8dbb-e2166b808f83.vbs

Filesize
708B

MD5
36a48066ed3ed7326fa7f9e64091003e

SHA1
3baf8dcc83a4cc4c1d2becd5590a87882cffbf6b

SHA256
7859e1fd71bb2a644932f7417a0cd072ff6679f8b64b1cd321c6c62700b021f7

SHA512
3297be302faaf71a8acb763370a793681f34600d65ff3a011a7a73ae6e4fb683bd9e0387823c4348f74b9dd234349af5cd3ca90196c70e7064638941b0634aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\49f74baf-05d0-400a-b1fb-052313fe20bc.vbs

Filesize
708B

MD5
10a60d09a056cd2810f9162a9e4d27b6

SHA1
c3f10f8c4f87b90b887126d89a1132a81dc5a5c9

SHA256
91069283a54b9b87291733fe79d4429fe3b36df9dcc48514d007c2ff1a9a117d

SHA512
bbcd8f56d71fd0d0b50cd800527ecfa72af54c70cba276043b17f17b14830e6eb40fa7b9cebe5fb2a676a7cf95ad629df674d803a5e18659e76b065598633986

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bcbcb99-a73e-4321-900f-2124fbbf8f9c.vbs

Filesize
708B

MD5
fff542ff62ecbfd2a5e3cd05c06ce162

SHA1
6994bb8c5ced918d77609d28787f26a2a96453dc

SHA256
6d7341ce6722651cdce98575b5139f37fbe61f9591680767b1171517e7a20ef8

SHA512
a195a457b85c478e34ab9d326793994740c060a980ab3263a0bb27d11e971f96df0bae3c0fb6dabc75292534609a5a91ef00bef311e43a9692fbc63322bd1fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c71a2ef-dace-46f7-8055-2be7c55e8572.vbs

Filesize
708B

MD5
598f7cb445359abbf4e4995762e7415d

SHA1
685cc2f81fd76ebd9f955d516d054584454c592b

SHA256
e1816d2c1ca1ba97d3fc7d562a559d2ae7d618d2a32bcabae88b40a4a132265c

SHA512
2a9e099f65684944778490938c44ba621903414e952cd023acc9181af0cbb7c0e44e8205763b9cf08d42b3044990b70e5f415e2f9be461632e5cfb8b3d2ebd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7878d991-3154-43df-bae7-b07875e94d74.vbs

Filesize
708B

MD5
7acf3573273f7c9e3ba90440a1f04098

SHA1
e17d62e2dbca4f1a31d1ff185e48a4e919cf20f3

SHA256
7b456d51da311ffd0a389a1f1ee2b7f1e810f008e2a60e91a13a398969acfa72

SHA512
fbf5c94570b83abed40b02eb2634b0af7861f234784980e62f6375d81b736e50af301fdf795c63305e311551381b2ea218ba0017be89cc4e49dbf9f06c762b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ac19d65-95d8-42a8-b77a-37e92e0766a1.vbs

Filesize
484B

MD5
3a8fc24938b3c34f5822ad8b55f13d3a

SHA1
27bd877e4cb1250da47f6054ebb27a7c10c33249

SHA256
8e61f8c2179e017014844ce3f9698a2659e39e0d79d4dec4b72664e9d269da94

SHA512
66f4fd4cf72619087974ad3957728372f917b89c2ae8de2409735b4b53d0f369d3a5464af00f9519cd8c994d7801f5a761a973dfbc76c7928c83bfcafec01d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a7a5ee7-688a-46ce-832f-12c0104f1e68.vbs

Filesize
708B

MD5
3ff00a657be4d4f9e01dfcbe7371b664

SHA1
b58b0af60cdaf27f1aa3a0986f0f0c33d3a8bfac

SHA256
cda59e5fba8a5e2f2f135b53de3b87009ebd0f416b1e5d55a0484d4f707a5b30

SHA512
5b3509d1b08e645d2545036ff89e3ce0eb843aaecb0756cf0af71bf460843eebad7930011c241b4f37000c071db5490e29cfede4db7818fa369a364e7c8758e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e1b73db-2cf3-400c-9544-07730280b15c.vbs

Filesize
708B

MD5
56f7d4d24cf0dd4a565c5d39d24668f2

SHA1
4013950d71006ce9f7d8283e89126b05f931d1c6

SHA256
88a2ab6e30b44d3c51269e0dc2b06dab2619f3078de368be81263b60d8faab69

SHA512
62bc2651642ba12b8ec9a89cdd634e8044f8dc7dd698a083e46d28479159a2bcbc1f7d63ac1d044847a9f6a20f0d457fef8323fcdcdb937b8643c56305864e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RehPSk1Cs7.bat

Filesize
197B

MD5
2043c3f7541a709a99b5b9a5ee9354cf

SHA1
0f5ac605916a6a6eaa2b61334ca1678a40966c16

SHA256
82573d4729193159244f73c3c9ef2086ebcf4214d4eaec3a60f59bf103107397

SHA512
51c7ef86e2adcfd3da3606fb608742d6ff8b95142604155c7cabe26f3c0ec23b1e8bd32fa776deb39cc6987d037485d32947fdc031166090f9ed6c613f2b2db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\af83efc0-b7fe-4630-acc8-75263898cb58.vbs

Filesize
708B

MD5
dfc269b170329ab9612dfabac4c6c059

SHA1
7da79614fb795e1b507b126a4d4b26bdf81da022

SHA256
bae83294bc573854c8f06e10a975e32417f6d962fe7f8b8c134b9fe5d3bee620

SHA512
86c7b14422252a97f0beedcd4c700c55942205ef7e03e1b6e6a3c092ce2ce009fa138eef83de0f963cbedcef5e78a142ca803002917fb20f2fd167b0bba03385

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1f735e4-721c-4448-ad41-6544c26bb443.vbs

Filesize
708B

MD5
97317fdfb7b560164391afa598cccafb

SHA1
df626ed0faf37b9ead5d5e86ec0ca174e66b33e8

SHA256
dd1925e5394439ab681cefea165660ca8a72840770656d6d3f2b951e015eb281

SHA512
364893834ca637ea68cf70ee045fa3bb99b7c532c44ec5ee760479d9d43c3d206622425aa1760aff1a3c45ebb9f325178f6526a26c18b2e3d5aaa2253a45c56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eba94d30-79ea-4fdd-9c2a-e6734427ccbc.vbs

Filesize
708B

MD5
539095ba0d90873afea520cd80f61426

SHA1
e3576ba01aa55a5e0ff7baaefa5ecc9e1491ab59

SHA256
4dd5b4f44d912f688d2ea013ef2a20595fc5afe212c8cf504e778272266bdbd7

SHA512
941dba1ed2b56066f005a80d45b272c223b8ef54d0c65ef62329dbf16fbf5f8fd352db09fc0032a70a5f6ef7b60c8b6c8735fffbd8450da19d537e4dfaa51b48

Download Submit
memory/2376-7-0x000000001B250000-0x000000001B25A000-memory.dmp

Filesize
40KB

Download
memory/2376-5-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2376-231-0x00007FFA83C70000-0x00007FFA84731000-memory.dmp

Filesize
10.8MB

Download
memory/2376-1-0x0000000000610000-0x00000000006F4000-memory.dmp

Filesize
912KB

Download
memory/2376-6-0x000000001B230000-0x000000001B246000-memory.dmp

Filesize
88KB

Download
memory/2376-2-0x00007FFA83C70000-0x00007FFA84731000-memory.dmp

Filesize
10.8MB

Download
memory/2376-0-0x00007FFA83C73000-0x00007FFA83C75000-memory.dmp

Filesize
8KB

Download
memory/2376-8-0x000000001B260000-0x000000001B26E000-memory.dmp

Filesize
56KB

Download
memory/2376-3-0x0000000002910000-0x000000000292C000-memory.dmp

Filesize
112KB

Download
memory/2376-9-0x000000001B270000-0x000000001B278000-memory.dmp

Filesize
32KB

Download
memory/2376-4-0x000000001B280000-0x000000001B2D0000-memory.dmp

Filesize
320KB

Download
memory/2376-10-0x000000001B2D0000-0x000000001B2DC000-memory.dmp

Filesize
48KB

Download
memory/2492-326-0x000000001BDC0000-0x000000001BEC2000-memory.dmp

Filesize
1.0MB

Download
memory/2956-279-0x000000001BB10000-0x000000001BC12000-memory.dmp

Filesize
1.0MB

Download
memory/3052-303-0x000000001C0D0000-0x000000001C1D2000-memory.dmp

Filesize
1.0MB

Download
memory/3640-338-0x000000001C230000-0x000000001C332000-memory.dmp

Filesize
1.0MB

Download
memory/5168-291-0x000000001C120000-0x000000001C222000-memory.dmp

Filesize
1.0MB

Download