dcrat | 63b2109d651e58bdceb6dcd68821e723f4a5ce45875405cf395ff04937ea26b8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
Size

1.6MB
MD5

4d0d9e2f3b8a29bd81895302e6b96923
SHA1

400acf93d23144e814d99769db2796e71b802c42
SHA256

9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7
SHA512

6284cb80bfde21bdcd41b0474a92b5f5516a92bfb77256cf6fda6072b4de483334480d4e66f556a861d2592077ece71578e9cae224639c4ad63818f578637913
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4572	schtasks.exe	87

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5392-1-0x0000000000800000-0x00000000009A2000-memory.dmp	dcrat
behavioral2/files/0x000700000002423c-26.dat	dcrat
behavioral2/files/0x000f0000000240e8-79.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1196	powershell.exe
3912	powershell.exe
5936	powershell.exe
4216	powershell.exe
3700	powershell.exe
4012	powershell.exe
2804	powershell.exe
3540	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 15 IoCs

pid	Process
4612	StartMenuExperienceHost.exe
5860	StartMenuExperienceHost.exe
5532	StartMenuExperienceHost.exe
5756	StartMenuExperienceHost.exe
4432	StartMenuExperienceHost.exe
2572	StartMenuExperienceHost.exe
3044	StartMenuExperienceHost.exe
4420	StartMenuExperienceHost.exe
4164	StartMenuExperienceHost.exe
5732	StartMenuExperienceHost.exe
5476	StartMenuExperienceHost.exe
5548	StartMenuExperienceHost.exe
4848	StartMenuExperienceHost.exe
464	StartMenuExperienceHost.exe
6032	StartMenuExperienceHost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4556_1930870954\csrss.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files\edge_BITS_4556_1930870954\886983d96e3d3e	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files\edge_BITS_4556_1930870954\RCX70A2.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files\edge_BITS_4556_1930870954\RCX70B3.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files\edge_BITS_4556_1930870954\csrss.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX7A01.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\55b276f4edf653	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX7A02.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Boot\unsecapp.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Windows\Fonts\StartMenuExperienceHost.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Windows\Fonts\55b276f4edf653	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Windows\Fonts\RCX77DC.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Windows\Fonts\RCX77EC.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Windows\Fonts\StartMenuExperienceHost.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
436	schtasks.exe
5580	schtasks.exe
388	schtasks.exe
2948	schtasks.exe
6120	schtasks.exe
4808	schtasks.exe
3872	schtasks.exe
4692	schtasks.exe
4728	schtasks.exe
4736	schtasks.exe
4892	schtasks.exe
4776	schtasks.exe
4832	schtasks.exe
4840	schtasks.exe
5712	schtasks.exe
4760	schtasks.exe
3668	schtasks.exe
5016	schtasks.exe
5284	schtasks.exe
4332	schtasks.exe
4876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
4012	powershell.exe
4012	powershell.exe
4216	powershell.exe
4216	powershell.exe
1196	powershell.exe
1196	powershell.exe
3912	powershell.exe
3912	powershell.exe
3700	powershell.exe
3540	powershell.exe
3700	powershell.exe
3540	powershell.exe
5936	powershell.exe
5936	powershell.exe
2804	powershell.exe
2804	powershell.exe
3912	powershell.exe
1196	powershell.exe
4012	powershell.exe
4216	powershell.exe
3700	powershell.exe
3540	powershell.exe
5936	powershell.exe
2804	powershell.exe
4612	StartMenuExperienceHost.exe
5860	StartMenuExperienceHost.exe
5532	StartMenuExperienceHost.exe
5756	StartMenuExperienceHost.exe
5756	StartMenuExperienceHost.exe
4432	StartMenuExperienceHost.exe
4432	StartMenuExperienceHost.exe
2572	StartMenuExperienceHost.exe
3044	StartMenuExperienceHost.exe
4420	StartMenuExperienceHost.exe
4164	StartMenuExperienceHost.exe
5732	StartMenuExperienceHost.exe
5476	StartMenuExperienceHost.exe
5548	StartMenuExperienceHost.exe
4848	StartMenuExperienceHost.exe
464	StartMenuExperienceHost.exe
6032	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	5936	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4612	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5860	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5532	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5756	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4432	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2572	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3044	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4420	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4164	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5732	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5476	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5548	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4848	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	464	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	6032	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5392 wrote to memory of 4012	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	111
PID 5392 wrote to memory of 4012	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	111
PID 5392 wrote to memory of 3700	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	112
PID 5392 wrote to memory of 3700	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	112
PID 5392 wrote to memory of 4216	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	114
PID 5392 wrote to memory of 4216	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	114
PID 5392 wrote to memory of 5936	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	116
PID 5392 wrote to memory of 5936	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	116
PID 5392 wrote to memory of 3912	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	117
PID 5392 wrote to memory of 3912	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	117
PID 5392 wrote to memory of 1196	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	118
PID 5392 wrote to memory of 1196	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	118
PID 5392 wrote to memory of 3540	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	120
PID 5392 wrote to memory of 3540	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	120
PID 5392 wrote to memory of 2804	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	121
PID 5392 wrote to memory of 2804	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	121
PID 5392 wrote to memory of 4612	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	127
PID 5392 wrote to memory of 4612	5392	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	127
PID 4612 wrote to memory of 4804	4612	StartMenuExperienceHost.exe	129
PID 4612 wrote to memory of 4804	4612	StartMenuExperienceHost.exe	129
PID 4612 wrote to memory of 3768	4612	StartMenuExperienceHost.exe	130
PID 4612 wrote to memory of 3768	4612	StartMenuExperienceHost.exe	130
PID 4804 wrote to memory of 5860	4804	WScript.exe	133
PID 4804 wrote to memory of 5860	4804	WScript.exe	133
PID 5860 wrote to memory of 5260	5860	StartMenuExperienceHost.exe	134
PID 5860 wrote to memory of 5260	5860	StartMenuExperienceHost.exe	134
PID 5860 wrote to memory of 1692	5860	StartMenuExperienceHost.exe	135
PID 5860 wrote to memory of 1692	5860	StartMenuExperienceHost.exe	135
PID 5260 wrote to memory of 5532	5260	WScript.exe	137
PID 5260 wrote to memory of 5532	5260	WScript.exe	137
PID 5532 wrote to memory of 5348	5532	StartMenuExperienceHost.exe	138
PID 5532 wrote to memory of 5348	5532	StartMenuExperienceHost.exe	138
PID 5532 wrote to memory of 2836	5532	StartMenuExperienceHost.exe	139
PID 5532 wrote to memory of 2836	5532	StartMenuExperienceHost.exe	139
PID 5348 wrote to memory of 5756	5348	WScript.exe	143
PID 5348 wrote to memory of 5756	5348	WScript.exe	143
PID 5756 wrote to memory of 3540	5756	StartMenuExperienceHost.exe	146
PID 5756 wrote to memory of 3540	5756	StartMenuExperienceHost.exe	146
PID 5756 wrote to memory of 5556	5756	StartMenuExperienceHost.exe	147
PID 5756 wrote to memory of 5556	5756	StartMenuExperienceHost.exe	147
PID 3540 wrote to memory of 4432	3540	WScript.exe	148
PID 3540 wrote to memory of 4432	3540	WScript.exe	148
PID 4432 wrote to memory of 556	4432	StartMenuExperienceHost.exe	149
PID 4432 wrote to memory of 556	4432	StartMenuExperienceHost.exe	149
PID 4432 wrote to memory of 3592	4432	StartMenuExperienceHost.exe	150
PID 4432 wrote to memory of 3592	4432	StartMenuExperienceHost.exe	150
PID 556 wrote to memory of 2572	556	WScript.exe	154
PID 556 wrote to memory of 2572	556	WScript.exe	154
PID 2572 wrote to memory of 4692	2572	StartMenuExperienceHost.exe	155
PID 2572 wrote to memory of 4692	2572	StartMenuExperienceHost.exe	155
PID 2572 wrote to memory of 5028	2572	StartMenuExperienceHost.exe	156
PID 2572 wrote to memory of 5028	2572	StartMenuExperienceHost.exe	156
PID 4692 wrote to memory of 3044	4692	WScript.exe	157
PID 4692 wrote to memory of 3044	4692	WScript.exe	157
PID 3044 wrote to memory of 1484	3044	StartMenuExperienceHost.exe	158
PID 3044 wrote to memory of 1484	3044	StartMenuExperienceHost.exe	158
PID 3044 wrote to memory of 4144	3044	StartMenuExperienceHost.exe	159
PID 3044 wrote to memory of 4144	3044	StartMenuExperienceHost.exe	159
PID 1484 wrote to memory of 4420	1484	WScript.exe	161
PID 1484 wrote to memory of 4420	1484	WScript.exe	161
PID 4420 wrote to memory of 1096	4420	StartMenuExperienceHost.exe	162
PID 4420 wrote to memory of 1096	4420	StartMenuExperienceHost.exe	162
PID 4420 wrote to memory of 5532	4420	StartMenuExperienceHost.exe	163
PID 4420 wrote to memory of 5532	4420	StartMenuExperienceHost.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
"C:\Users\Admin\AppData\Local\Temp\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4556_1930870954\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
  "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f3ef64-690b-4fb0-baad-aca938f1e1a4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
      "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3549540e-53d2-4df3-a707-6c00f1b2701e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5260
      - C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\837993fc-2bf7-4976-a581-ed73346da129.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5348
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c8027a1-eb79-4792-8e6a-130fc66c9db6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8476e09b-a904-4592-b54f-c40bb5a7909a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cde71b-c417-4bdd-9e4a-5fe4391c1b64.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d0cdb72-1a66-4350-bdc8-3f129cfa5adc.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8b5c02-fdf7-4af0-8462-8777fe8183cc.vbs"
        17⤵
        
        PID:1096
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56736275-5751-4b36-827a-be4a5d55d167.vbs"
        19⤵
        
        PID:1056
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1ada4e7-0ee6-4a02-af30-8e59dfb51c66.vbs"
        21⤵
        
        PID:3516
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c596b0b-047f-4c81-ac79-b8f855d1a336.vbs"
        23⤵
        
        PID:1040
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\605a9fa3-180b-4296-8575-a10a6a35f656.vbs"
        25⤵
        
        PID:3520
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64a9b052-c58a-42f2-a1de-4309c212a295.vbs"
        27⤵
        
        PID:5512
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffde03ae-6708-4efd-bb4e-a7c7af010e66.vbs"
        29⤵
        
        PID:3444
        
        C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80bd3882-ab16-48b1-988c-e067b327ffaf.vbs"
        31⤵
        
        PID:5692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0faa980-27f2-4240-a2ff-0eb99c9d80b3.vbs"
        31⤵
        
        PID:5464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca4364ed-f590-43f7-8ebc-64f79b86b7fc.vbs"
        29⤵
        
        PID:5956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c9fe7d1-79de-4d8d-8c1e-4f5bf2c55819.vbs"
        27⤵
        
        PID:4616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2339a273-94ce-459f-84cb-ce8872de9ee7.vbs"
        25⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc65dd6-996a-4677-b217-69ffb9937aba.vbs"
        23⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c085d8d-49f3-4d9f-9815-18e36ce7d7b2.vbs"
        21⤵
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f567a2-e7a8-46f1-a4b9-310ae6124149.vbs"
        19⤵
        
        PID:5616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02bfcc07-24fb-46ea-9dc3-7bfe9ef9d202.vbs"
        17⤵
        
        PID:5532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ac2f408-6af6-4e8b-9a41-71cf734733ab.vbs"
        15⤵
        
        PID:4144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b121f95b-74e9-4b17-bbb5-15c12e540616.vbs"
        13⤵
        
        PID:5028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6404979d-1b84-430d-8b21-386b13045a5a.vbs"
        11⤵
        
        PID:3592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ecb1ef-c76d-4531-bce0-d03f51db38f8.vbs"
        9⤵
        
        PID:5556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63ce6a08-eff3-4dde-8ea7-347188ac270a.vbs"
        7⤵
        
        PID:2836
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bc5f6d4-cb8d-4b31-a0c9-ac5c5f70df36.vbs"
        5⤵
        
        PID:1692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10308305-2c18-424a-8b9a-a675c762ef43.vbs"
    3⤵
    PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4556_1930870954\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4556_1930870954\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4556_1930870954\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Fonts\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.6MB

MD5
79a42ce3396320247c0985c19e117deb

SHA1
ee4d6e830376c757317403050446009e31858285

SHA256
70603f5ca2d64569c11aa6a8799d2ff700136e2ca683bfcb0fe9138562ddae25

SHA512
ca2b42624aee25139ecd715347de40241230333a29c02384deba11d0e5c0368fd15ffc7f848d52733744ad06a148e508d7fa42f22761cb858b0580bd477bdf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acd80d6d7114a61d8c01c77f78c805fb

SHA1
f0b79e5fd09ae019fe95d994a5b32a6a6922172d

SHA256
2d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818

SHA512
1cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a15743cd087226baafa094c9aed07dc4

SHA1
2124cf2ac13da80b2e3cd37d3eab477261771423

SHA256
4211b5503de68413f5605cbeec4a49fb46fbec44c58df95be892f0dc308a39cf

SHA512
301e82e45c3e190bdbc1316cda1cd735434c5aa873a57322e807c7cf4c23e006e11a7347ebb0f8afed181d3a4d860202cbd6fc721b9970296c7a4b1a367805a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10308305-2c18-424a-8b9a-a675c762ef43.vbs

Filesize
525B

MD5
ae3cb900355e381a82ccaab58ca8c974

SHA1
ded1b9a8c9e4aeaaf57d0f34cd62c88623549201

SHA256
3864b4cedebf2117f49968d26ddd4bc18d4243f49e0042dd13ee17cef8f9db69

SHA512
7025bd79005b0c6a6f8c8fac52a9189a7a3fbf04685aba094e689dc886427dabd2da7ce0382b24b3fa81fae8612f44726a20b156884b144d5a04bffa16ef0a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3549540e-53d2-4df3-a707-6c00f1b2701e.vbs

Filesize
749B

MD5
908e716d99715325f957362e5a3480dc

SHA1
7d7d405c6b404c64b364b73d68e08f4a986b5d21

SHA256
f8cb26d5b874a7462d0f0a7ae0c3ca0c107e673cf31201ed4d98c245b637f8c6

SHA512
e82d671da96c076ac276f85193b674db1e7afd14f5e5a98601004ba69505983d7221775e45d57e73ec0316b303437e03c7cc27c973b0cdcf0c4af04cc603e2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0cdb72-1a66-4350-bdc8-3f129cfa5adc.vbs

Filesize
749B

MD5
cc929a71f30a2cdfc852f6779daf768f

SHA1
464d63e3e3eb338aec252e0916e5ab4401a35fa3

SHA256
7a33e0d47e6ed29112101ba2d67e3482ea39bd7f9db03087036c6af54596f581

SHA512
9dafb40f31b8f14384f8738ff54edfed0982499b558ce0ff785ff11112db6139508ae4f46f23caee94013506b81ffd7c0773509cf009c8768d45b571db42c203

Download Submit
C:\Users\Admin\AppData\Local\Temp\56736275-5751-4b36-827a-be4a5d55d167.vbs

Filesize
749B

MD5
37f9375f104df7cad48f37fe13b71ba0

SHA1
e2924680155d1f6b6c25836134458ba9d7be668d

SHA256
4cad14bc2c6a5049d187920da60fd6f909dfef147cb6daebd3e0c0dade75d154

SHA512
05eca367e802c81ff2f67cd6a56b97e9bcf59ef9487f710cf561b7a286b124bd384cbada904ad60b2a42abad48066d610eeae73d0cc7bc82941cc27b24fde221

Download Submit
C:\Users\Admin\AppData\Local\Temp\605a9fa3-180b-4296-8575-a10a6a35f656.vbs

Filesize
749B

MD5
ad8abd90252764f7d858bbf74d452398

SHA1
33c91ccde5f0c529dba37e155da10f597b1c5f5b

SHA256
abcb7205a79dafe956fb8e1bcedef56ffd44977caea22e2b75aba44c8af01121

SHA512
14dd717ec232af5ea471815e139cf379ca50deea7130dc5c0c020bfd79c67682ba8d4d30bba5dabd85a3c207350b9537bc1ec785ae68b8ec9482e95ce5256c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\64a9b052-c58a-42f2-a1de-4309c212a295.vbs

Filesize
749B

MD5
8c012e9abc8354f1e260bb5f2a68aa6f

SHA1
8ef351614a60c80f2ba4a13b8ca923586dc50fa9

SHA256
e3de067c115da3e1160ab6f1b0bd7598a542da89c7eaa2a15aa03ab853dcf25e

SHA512
fecb186d618a53de64242838c1fd664ab782c58275c478f136347b5af5636e91f7f6ceb52f818cdfaf5de7f298cd15d94ff77b117a0346e6db89c6e0715c3d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\64f3ef64-690b-4fb0-baad-aca938f1e1a4.vbs

Filesize
749B

MD5
c6c08e710b3f7ff0a0bca35d56af1488

SHA1
0d1ee7dcb03359fcc95161ee6b51a445f55ef534

SHA256
bc3a248adeb96b7fa8b58d2cee97e963c6728217fbd67d12859362620ad06beb

SHA512
a5684526f859f52066ab3f49ad3da82a173c98a370f921138cf612b29c36f12e986f067b1f9a18b1233482a2c5eaab6c944c1e39d6e2a4526412f764c9d4cc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\77cde71b-c417-4bdd-9e4a-5fe4391c1b64.vbs

Filesize
749B

MD5
86d2c5f8598fe1bd8724156c466fa9fc

SHA1
01585990c13db8895e98021e64e4eee3933200d5

SHA256
0603b815696431054c068c32ab9446cb80aadaa94c9b99650c97aa65f5f0bd75

SHA512
422fddfbb2ba35e040616258ceb5ac3b959495ea8984bc9318a54e2d20db2fd06cd3d1841455cd30409a70d2151b62a9c4adc0d0e6b04809baa66e0ed580b401

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c596b0b-047f-4c81-ac79-b8f855d1a336.vbs

Filesize
749B

MD5
540c2d2bdc89c5b24e02be287c6cc8ab

SHA1
ddc7f64817d89d8f8d053dad8b7bc2bc9b1b97a9

SHA256
3e82ff27af502f9ac9e8f84ab52d791d7a39aac6334953b32c1e3618f43799ef

SHA512
00ecd1e956f3c655ee69b62bec23c823887501307aebe81121dd952ba613b1161984f5757fca62f8d1b45edc47a5ff632e19e170f353b787c2e66e9cbd821a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\837993fc-2bf7-4976-a581-ed73346da129.vbs

Filesize
749B

MD5
f4d0861f64758fb820048425520eee2d

SHA1
d0043a9ffb17b38b60777e40bf970746d696eb54

SHA256
f2176048b55e8ec0dee70e64b36f4324108e634f3df8bf368b1565e9a52879d7

SHA512
aeb89db1219fd7b01d40d7bc51fda73f2ad552313c4161eff6bd1b09c4113fe0b071916eb29423278cb9bcda61340dd0cd25e0a6f0ab85ceab84368f137d5141

Download Submit
C:\Users\Admin\AppData\Local\Temp\8476e09b-a904-4592-b54f-c40bb5a7909a.vbs

Filesize
749B

MD5
a331e4303a9b261427bfd80b80140560

SHA1
658cbbd18c2d87f88983c576878ba9ac1d5696a2

SHA256
3e37b633252ce9c95da86b71cce5f771c4c2d9d99e7cd3845988eb0a6cfb27ac

SHA512
a382c46e1c898985bc4d91a28c771e8a0dcf66c1f56d70053ada3ffca7f302a23059f32a7223b5af0dca24eb740b35a7155dff69f46d238859feb53c556ed904

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c8027a1-eb79-4792-8e6a-130fc66c9db6.vbs

Filesize
749B

MD5
2d0034f3b89727571d1f878301636195

SHA1
68e8a68fe1bf7eab3954075a822bf2125e5033e7

SHA256
ea7cea35323e7a10b6238b8f9a04d95dd726d4d59248d7519704c05dfb442bfa

SHA512
5d38e9c70d677b4d19ae1a0e813052c2610c4e08cc50f1a28f87a93163a73ef1ce001e951617c8844271d8eb249436ef563441e7f4cf0390595d5ac17c54f44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhgxuu0u.ykm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd8b5c02-fdf7-4af0-8462-8777fe8183cc.vbs

Filesize
749B

MD5
e78765455b8c35f7fbf13130418bf351

SHA1
fecb514efecc41e7faf79adfeda296d3899739be

SHA256
6bd4299603d6eedcc0de5c81f3fb96f4d9329d1c54cda87cfaf9298481b4ae35

SHA512
9d5685a653fcb157c4be0f4a870d103033c69612920828b8b5b8989da3f50e304325ddf16e7eec8573926b1fd09c76a8cd4173d2eb68c82329a6eaae8ea7f32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1ada4e7-0ee6-4a02-af30-8e59dfb51c66.vbs

Filesize
749B

MD5
6f245f1410043832388c72783e2f31ad

SHA1
44a1e2478d45c6a09ada1acb0e6658b33cfc7037

SHA256
45cd4374f9c244f2533c690ca38a25d82a15fbc35b1ade7cfdcd0a06a3509f54

SHA512
21b1fc48924f70c0671ea90fb321d5d6cda02518f3568e3551d9cdbfc00828458afbff0ceadeef4618346f7e64994e4335d379b8cde5017b5da3fcd3705c7e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffde03ae-6708-4efd-bb4e-a7c7af010e66.vbs

Filesize
748B

MD5
7b404b41c0ee01c0b6e51b85a292f9e3

SHA1
6ad672335aa55bef8270cab8573333ba894b88c5

SHA256
67acb1d97209d6639f930e86d132a35f8cd8fadd71e4bbd72089ba1930bd416f

SHA512
809f5c8e41bf16176acf17430508501217434aa8c4293c4e6a16796f2991d2b177cc96979f80f429ef09022115d0bb6f487a5cf52508e6011cfeb0e228a8ebcd

Download Submit
C:\f9532e701a889cdd91b8\csrss.exe

Filesize
1.6MB

MD5
4d0d9e2f3b8a29bd81895302e6b96923

SHA1
400acf93d23144e814d99769db2796e71b802c42

SHA256
9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7

SHA512
6284cb80bfde21bdcd41b0474a92b5f5516a92bfb77256cf6fda6072b4de483334480d4e66f556a861d2592077ece71578e9cae224639c4ad63818f578637913

Download Submit
memory/4012-177-0x000001B2DF710000-0x000001B2DF732000-memory.dmp

Filesize
136KB

Download
memory/5392-251-0x00007FFF59C40000-0x00007FFF5A701000-memory.dmp

Filesize
10.8MB

Download
memory/5392-0-0x00007FFF59C43000-0x00007FFF59C45000-memory.dmp

Filesize
8KB

Download
memory/5392-17-0x000000001B650000-0x000000001B65C000-memory.dmp

Filesize
48KB

Download
memory/5392-16-0x000000001B640000-0x000000001B64A000-memory.dmp

Filesize
40KB

Download
memory/5392-15-0x000000001B630000-0x000000001B638000-memory.dmp

Filesize
32KB

Download
memory/5392-14-0x0000000002CD0000-0x0000000002CD8000-memory.dmp

Filesize
32KB

Download
memory/5392-13-0x0000000002CC0000-0x0000000002CCE000-memory.dmp

Filesize
56KB

Download
memory/5392-12-0x0000000002CB0000-0x0000000002CBA000-memory.dmp

Filesize
40KB

Download
memory/5392-11-0x0000000002CA0000-0x0000000002CAC000-memory.dmp

Filesize
48KB

Download
memory/5392-10-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/5392-9-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/5392-8-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/5392-7-0x0000000002B00000-0x0000000002B08000-memory.dmp

Filesize
32KB

Download
memory/5392-6-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

Filesize
88KB

Download
memory/5392-5-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/5392-4-0x0000000002C40000-0x0000000002C90000-memory.dmp

Filesize
320KB

Download
memory/5392-3-0x0000000001260000-0x000000000127C000-memory.dmp

Filesize
112KB

Download
memory/5392-2-0x00007FFF59C40000-0x00007FFF5A701000-memory.dmp

Filesize
10.8MB

Download
memory/5392-1-0x0000000000800000-0x00000000009A2000-memory.dmp

Filesize
1.6MB

Download