dcrat | 579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2

Analysis

max time kernel
1050s
max time network
1050s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Element.exe
Size

1.4MB
MD5

adbe8f67d479b99bcd29824cf1f2a54c
SHA1

a6a61e93fc60ab956114653b388d96a83d5fad04
SHA256

579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2
SHA512

a88607580eb3848a990388e74e00402b594c437e0f732e16136feaba812a5ea47424eedfa3357af5ef70353a251a241e81636c21ada2504dc41d5526797239e7
SSDEEP

24576:u2G/nvxW3WieCNKvNRRk656mvI/1mBnUjJB4j3ST6rlcAqpJ/jko:ubA3jNgT60qjJGCTAqxrN

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\host\\unsecapp.exe\", \"C:\\comSavesSessionbrokerNet\\Registry.exe\", \"C:\\comSavesSessionbrokerNet\\sppsvc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.AsyncTextService_8wekyb3d8bbwe\\pris\\unsecapp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\host\\unsecapp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\host\\unsecapp.exe\", \"C:\\comSavesSessionbrokerNet\\Registry.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\host\\unsecapp.exe\", \"C:\\comSavesSessionbrokerNet\\Registry.exe\", \"C:\\comSavesSessionbrokerNet\\sppsvc.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\", \"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\", \"C:\\comSavesSessionbrokerNet\\sihost.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\", \"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\host\\unsecapp.exe\", \"C:\\comSavesSessionbrokerNet\\Registry.exe\", \"C:\\comSavesSessionbrokerNet\\sppsvc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.AsyncTextService_8wekyb3d8bbwe\\pris\\unsecapp.exe\", \"C:\\comSavesSessionbrokerNet\\SearchApp.exe\""	ChainComsvc.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5688	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5424	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6032	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	5668	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	5668	schtasks.exe	85

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000281a9-13.dat	dcrat
behavioral1/memory/4500-16-0x0000000000C00000-0x0000000000D2A000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
7032	powershell.exe
6992	powershell.exe
6976	powershell.exe
6928	powershell.exe
6952	powershell.exe
6960	powershell.exe
7008	powershell.exe
6912	powershell.exe
6968	powershell.exe
7056	powershell.exe
7016	powershell.exe
6984	powershell.exe
7000	powershell.exe
6920	powershell.exe
6936	powershell.exe
7068	powershell.exe
7048	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	5948	sppsvc.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	Element.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	ChainComsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 52 IoCs

pid	Process
4500	ChainComsvc.exe
4884	fontdrvhost.exe
4756	fontdrvhost.exe
5780	WmiPrvSE.exe
5100	WmiPrvSE.exe
3820	dllhost.exe
4252	dllhost.exe
1072	sysmon.exe
4416	sysmon.exe
1840	cmd.exe
2340	sihost.exe
2764	cmd.exe
1084	sihost.exe
8	conhost.exe
4104	conhost.exe
4052	WmiPrvSE.exe
2096	upfc.exe
4704	WmiPrvSE.exe
5076	upfc.exe
4012	StartMenuExperienceHost.exe
4468	StartMenuExperienceHost.exe
4472	fontdrvhost.exe
2732	fontdrvhost.exe
4136	unsecapp.exe
1468	unsecapp.exe
1852	Registry.exe
6204	Registry.exe
6220	unsecapp.exe
6352	unsecapp.exe
6380	sppsvc.exe
6392	sppsvc.exe
6500	SearchApp.exe
6544	SearchApp.exe
5948	sppsvc.exe
2984	sppsvc.exe
6248	Registry.exe
6492	StartMenuExperienceHost.exe
3944	WmiPrvSE.exe
4764	fontdrvhost.exe
460	SearchApp.exe
4444	Registry.exe
5960	cmd.exe
1048	sysmon.exe
4908	sppsvc.exe
3752	StartMenuExperienceHost.exe
1596	upfc.exe
4988	conhost.exe
2816	WmiPrvSE.exe
2736	unsecapp.exe
5088	sihost.exe
6668	dllhost.exe
4384	Registry.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\2c2456cde7c2d3d523bbee74f6\\upfc.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Google\\StartMenuExperienceHost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\InputMethod\\SHARED\\fontdrvhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\comSavesSessionbrokerNet\\Registry.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\comSavesSessionbrokerNet\\Registry.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\SystemApps\\Microsoft.AsyncTextService_8wekyb3d8bbwe\\pris\\unsecapp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\comSavesSessionbrokerNet\\SearchApp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\comSavesSessionbrokerNet\\sppsvc.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Portable Devices\\WmiPrvSE.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\comSavesSessionbrokerNet\\sppsvc.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\comSavesSessionbrokerNet\\sihost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\comSavesSessionbrokerNet\\sihost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\2c2456cde7c2d3d523bbee74f6\\conhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\dotnet\\host\\unsecapp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\fontdrvhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\dotnet\\host\\unsecapp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\dotnet\\host\\fxr\\7.0.16\\dllhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\comSavesSessionbrokerNet\\SearchApp.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\sysmon.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\cmd.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\SystemApps\\Microsoft.AsyncTextService_8wekyb3d8bbwe\\pris\\unsecapp.exe\""	ChainComsvc.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	ChainComsvc.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ebf1f9fa8afd6d	ChainComsvc.exe
File created	C:\Program Files\Google\55b276f4edf653	ChainComsvc.exe
File created	C:\Program Files\dotnet\host\unsecapp.exe	ChainComsvc.exe
File opened for modification	C:\Program Files\dotnet\host\unsecapp.exe	ChainComsvc.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	ChainComsvc.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\5940a34987c991	ChainComsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe	ChainComsvc.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe	ChainComsvc.exe
File opened for modification	C:\Program Files\Google\StartMenuExperienceHost.exe	ChainComsvc.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe	ChainComsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\121e5b5079f7c0	ChainComsvc.exe
File created	C:\Program Files\Internet Explorer\uk-UA\cmd.exe	ChainComsvc.exe
File created	C:\Program Files\Google\StartMenuExperienceHost.exe	ChainComsvc.exe
File created	C:\Program Files\dotnet\host\29c1c3cc0f7685	ChainComsvc.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe	ChainComsvc.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	ChainComsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\cmd.exe	ChainComsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\SHARED\fontdrvhost.exe	ChainComsvc.exe
File created	C:\Windows\InputMethod\SHARED\5b884080fd4f94	ChainComsvc.exe
File created	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe	ChainComsvc.exe
File created	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\29c1c3cc0f7685	ChainComsvc.exe
File opened for modification	C:\Windows\InputMethod\SHARED\fontdrvhost.exe	ChainComsvc.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe	ChainComsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Element.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings	Element.exe
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
4684	schtasks.exe
3796	schtasks.exe
876	schtasks.exe
4780	schtasks.exe
3592	schtasks.exe
4936	schtasks.exe
5424	schtasks.exe
5436	schtasks.exe
3636	schtasks.exe
876	schtasks.exe
5320	schtasks.exe
772	schtasks.exe
3416	schtasks.exe
4844	schtasks.exe
5388	schtasks.exe
6032	schtasks.exe
1056	schtasks.exe
3152	schtasks.exe
1144	schtasks.exe
5324	schtasks.exe
5884	schtasks.exe
3408	schtasks.exe
1228	schtasks.exe
4780	schtasks.exe
5096	schtasks.exe
2484	schtasks.exe
4736	schtasks.exe
4336	schtasks.exe
1544	schtasks.exe
1976	schtasks.exe
2128	schtasks.exe
1680	schtasks.exe
5104	schtasks.exe
3576	schtasks.exe
1432	schtasks.exe
6108	schtasks.exe
4520	schtasks.exe
4964	schtasks.exe
5072	schtasks.exe
3572	schtasks.exe
892	schtasks.exe
5528	schtasks.exe
3352	schtasks.exe
5492	schtasks.exe
792	schtasks.exe
5688	schtasks.exe
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe
4500	ChainComsvc.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5948	sppsvc.exe
6484	taskmgr.exe
2984	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	ChainComsvc.exe
Token: SeDebugPrivilege	4884	fontdrvhost.exe
Token: SeDebugPrivilege	4756	fontdrvhost.exe
Token: SeDebugPrivilege	5100	WmiPrvSE.exe
Token: SeDebugPrivilege	5780	WmiPrvSE.exe
Token: SeDebugPrivilege	3820	dllhost.exe
Token: SeDebugPrivilege	4252	dllhost.exe
Token: SeDebugPrivilege	1072	sysmon.exe
Token: SeDebugPrivilege	4416	sysmon.exe
Token: SeDebugPrivilege	1840	cmd.exe
Token: SeDebugPrivilege	2764	cmd.exe
Token: SeDebugPrivilege	2340	sihost.exe
Token: SeDebugPrivilege	1084	sihost.exe
Token: SeDebugPrivilege	4104	conhost.exe
Token: SeDebugPrivilege	8	conhost.exe
Token: SeDebugPrivilege	4052	WmiPrvSE.exe
Token: SeDebugPrivilege	2096	upfc.exe
Token: SeDebugPrivilege	4704	WmiPrvSE.exe
Token: SeDebugPrivilege	4012	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5076	upfc.exe
Token: SeDebugPrivilege	4468	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4472	fontdrvhost.exe
Token: SeDebugPrivilege	2732	fontdrvhost.exe
Token: SeDebugPrivilege	4136	unsecapp.exe
Token: SeDebugPrivilege	1468	unsecapp.exe
Token: SeDebugPrivilege	1852	Registry.exe
Token: SeDebugPrivilege	6220	unsecapp.exe
Token: SeDebugPrivilege	6204	Registry.exe
Token: SeDebugPrivilege	6352	unsecapp.exe
Token: SeDebugPrivilege	6392	sppsvc.exe
Token: SeDebugPrivilege	6380	sppsvc.exe
Token: SeDebugPrivilege	6500	SearchApp.exe
Token: SeDebugPrivilege	6544	SearchApp.exe
Token: SeDebugPrivilege	6912	powershell.exe
Token: SeDebugPrivilege	6920	powershell.exe
Token: SeDebugPrivilege	6992	powershell.exe
Token: SeDebugPrivilege	6952	powershell.exe
Token: SeDebugPrivilege	7000	powershell.exe
Token: SeDebugPrivilege	6984	powershell.exe
Token: SeDebugPrivilege	7068	powershell.exe
Token: SeDebugPrivilege	6968	powershell.exe
Token: SeDebugPrivilege	6928	powershell.exe
Token: SeDebugPrivilege	6936	powershell.exe
Token: SeDebugPrivilege	7008	powershell.exe
Token: SeDebugPrivilege	7032	powershell.exe
Token: SeDebugPrivilege	7048	powershell.exe
Token: SeDebugPrivilege	6960	powershell.exe
Token: SeDebugPrivilege	7056	powershell.exe
Token: SeDebugPrivilege	5948	sppsvc.exe
Token: SeDebugPrivilege	6976	powershell.exe
Token: SeDebugPrivilege	7016	powershell.exe
Token: SeIncreaseQuotaPrivilege	7048	powershell.exe
Token: SeSecurityPrivilege	7048	powershell.exe
Token: SeTakeOwnershipPrivilege	7048	powershell.exe
Token: SeLoadDriverPrivilege	7048	powershell.exe
Token: SeSystemProfilePrivilege	7048	powershell.exe
Token: SeSystemtimePrivilege	7048	powershell.exe
Token: SeProfSingleProcessPrivilege	7048	powershell.exe
Token: SeIncBasePriorityPrivilege	7048	powershell.exe
Token: SeCreatePagefilePrivilege	7048	powershell.exe
Token: SeBackupPrivilege	7048	powershell.exe
Token: SeRestorePrivilege	7048	powershell.exe
Token: SeShutdownPrivilege	7048	powershell.exe
Token: SeDebugPrivilege	7048	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
5948	sppsvc.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe
6484	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5948	sppsvc.exe
2984	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4504	4408	Element.exe	81
PID 4408 wrote to memory of 4504	4408	Element.exe	81
PID 4408 wrote to memory of 4504	4408	Element.exe	81
PID 4504 wrote to memory of 2400	4504	WScript.exe	87
PID 4504 wrote to memory of 2400	4504	WScript.exe	87
PID 4504 wrote to memory of 2400	4504	WScript.exe	87
PID 2400 wrote to memory of 4500	2400	cmd.exe	89
PID 2400 wrote to memory of 4500	2400	cmd.exe	89
PID 4316 wrote to memory of 4884	4316	cmd.exe	99
PID 4316 wrote to memory of 4884	4316	cmd.exe	99
PID 4940 wrote to memory of 4756	4940	cmd.exe	101
PID 4940 wrote to memory of 4756	4940	cmd.exe	101
PID 2668 wrote to memory of 5780	2668	cmd.exe	114
PID 2668 wrote to memory of 5780	2668	cmd.exe	114
PID 4652 wrote to memory of 5100	4652	cmd.exe	115
PID 4652 wrote to memory of 5100	4652	cmd.exe	115
PID 5948 wrote to memory of 3820	5948	cmd.exe	120
PID 5948 wrote to memory of 3820	5948	cmd.exe	120
PID 5336 wrote to memory of 4252	5336	cmd.exe	124
PID 5336 wrote to memory of 4252	5336	cmd.exe	124
PID 4328 wrote to memory of 1072	4328	cmd.exe	136
PID 4328 wrote to memory of 1072	4328	cmd.exe	136
PID 720 wrote to memory of 4416	720	cmd.exe	140
PID 720 wrote to memory of 4416	720	cmd.exe	140
PID 4008 wrote to memory of 1840	4008	cmd.exe	147
PID 4008 wrote to memory of 1840	4008	cmd.exe	147
PID 4224 wrote to memory of 2340	4224	cmd.exe	156
PID 4224 wrote to memory of 2340	4224	cmd.exe	156
PID 1236 wrote to memory of 2764	1236	cmd.exe	158
PID 1236 wrote to memory of 2764	1236	cmd.exe	158
PID 696 wrote to memory of 1084	696	cmd.exe	166
PID 696 wrote to memory of 1084	696	cmd.exe	166
PID 1652 wrote to memory of 8	1652	cmd.exe	174
PID 1652 wrote to memory of 8	1652	cmd.exe	174
PID 2148 wrote to memory of 4104	2148	cmd.exe	175
PID 2148 wrote to memory of 4104	2148	cmd.exe	175
PID 6072 wrote to memory of 4052	6072	cmd.exe	183
PID 6072 wrote to memory of 4052	6072	cmd.exe	183
PID 5716 wrote to memory of 2096	5716	cmd.exe	185
PID 5716 wrote to memory of 2096	5716	cmd.exe	185
PID 1124 wrote to memory of 4704	1124	cmd.exe	189
PID 1124 wrote to memory of 4704	1124	cmd.exe	189
PID 5724 wrote to memory of 5076	5724	cmd.exe	194
PID 5724 wrote to memory of 5076	5724	cmd.exe	194
PID 2844 wrote to memory of 4012	2844	cmd.exe	201
PID 2844 wrote to memory of 4012	2844	cmd.exe	201
PID 3992 wrote to memory of 4468	3992	cmd.exe	202
PID 3992 wrote to memory of 4468	3992	cmd.exe	202
PID 436 wrote to memory of 4472	436	cmd.exe	208
PID 436 wrote to memory of 4472	436	cmd.exe	208
PID 5964 wrote to memory of 2732	5964	cmd.exe	213
PID 5964 wrote to memory of 2732	5964	cmd.exe	213
PID 5228 wrote to memory of 4136	5228	cmd.exe	221
PID 5228 wrote to memory of 4136	5228	cmd.exe	221
PID 5456 wrote to memory of 1468	5456	cmd.exe	226
PID 5456 wrote to memory of 1468	5456	cmd.exe	226
PID 4004 wrote to memory of 1852	4004	cmd.exe	227
PID 4004 wrote to memory of 1852	4004	cmd.exe	227
PID 4992 wrote to memory of 6204	4992	cmd.exe	228
PID 4992 wrote to memory of 6204	4992	cmd.exe	228
PID 5528 wrote to memory of 6220	5528	cmd.exe	229
PID 5528 wrote to memory of 6220	5528	cmd.exe	229
PID 4420 wrote to memory of 6352	4420	cmd.exe	230
PID 4420 wrote to memory of 6352	4420	cmd.exe	230

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Element.exe
"C:\Users\Admin\AppData\Local\Temp\Element.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comSavesSessionbrokerNet\137ZAQtz7T0KfqnihMmUn1LNjeAvS.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comSavesSessionbrokerNet\Dwq7lixZ2zOO3JgtN3iMKD.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\comSavesSessionbrokerNet\ChainComsvc.exe
      "C:\comSavesSessionbrokerNet\ChainComsvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\ChainComsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\SHARED\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\uk-UA\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2c2456cde7c2d3d523bbee74f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2c2456cde7c2d3d523bbee74f6\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7068
    - - C:\comSavesSessionbrokerNet\sppsvc.exe
        
        "C:\comSavesSessionbrokerNet\sppsvc.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3179d9a-5e77-4bfa-b37c-d780cb049697.vbs"
        6⤵
        
        PID:2116
        
        C:\comSavesSessionbrokerNet\sppsvc.exe
        
        C:\comSavesSessionbrokerNet\sppsvc.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba89da13-14db-4c35-a491-70b70e2f1d19.vbs"
        8⤵
        
        PID:6324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf449e45-f5c3-4516-bf8b-93c8058834de.vbs"
        8⤵
        
        PID:4148
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f784248a-8ab0-4239-87d6-92a351ce2481.vbs"
        6⤵
        
        PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\SHARED\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\SHARED\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\InputMethod\SHARED\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\InputMethod\SHARED\fontdrvhost.exe
  C:\Windows\InputMethod\SHARED\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\InputMethod\SHARED\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\InputMethod\SHARED\fontdrvhost.exe
  C:\Windows\InputMethod\SHARED\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
  "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
  "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5336
- C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe
  "C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe
  "C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:720
- C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe
  "C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe
  "C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\uk-UA\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Internet Explorer\uk-UA\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files\Internet Explorer\uk-UA\cmd.exe
  "C:\Program Files\Internet Explorer\uk-UA\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Internet Explorer\uk-UA\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files\Internet Explorer\uk-UA\cmd.exe
  "C:\Program Files\Internet Explorer\uk-UA\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\comSavesSessionbrokerNet\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\comSavesSessionbrokerNet\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\comSavesSessionbrokerNet\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\sihost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\comSavesSessionbrokerNet\sihost.exe
  C:\comSavesSessionbrokerNet\sihost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\sihost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:696
- C:\comSavesSessionbrokerNet\sihost.exe
  C:\comSavesSessionbrokerNet\sihost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\2c2456cde7c2d3d523bbee74f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\2c2456cde7c2d3d523bbee74f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\2c2456cde7c2d3d523bbee74f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2c2456cde7c2d3d523bbee74f6\conhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\2c2456cde7c2d3d523bbee74f6\conhost.exe
  C:\2c2456cde7c2d3d523bbee74f6\conhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2c2456cde7c2d3d523bbee74f6\conhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\2c2456cde7c2d3d523bbee74f6\conhost.exe
  C:\2c2456cde7c2d3d523bbee74f6\conhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\WmiPrvSE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Recovery\WindowsRE\WmiPrvSE.exe
  C:\Recovery\WindowsRE\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\WmiPrvSE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Recovery\WindowsRE\WmiPrvSE.exe
  C:\Recovery\WindowsRE\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\2c2456cde7c2d3d523bbee74f6\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\2c2456cde7c2d3d523bbee74f6\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\2c2456cde7c2d3d523bbee74f6\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2c2456cde7c2d3d523bbee74f6\upfc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5724
- C:\2c2456cde7c2d3d523bbee74f6\upfc.exe
  C:\2c2456cde7c2d3d523bbee74f6\upfc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2c2456cde7c2d3d523bbee74f6\upfc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5716
- C:\2c2456cde7c2d3d523bbee74f6\upfc.exe
  C:\2c2456cde7c2d3d523bbee74f6\upfc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Google\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Google\StartMenuExperienceHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files\Google\StartMenuExperienceHost.exe
  "C:\Program Files\Google\StartMenuExperienceHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Google\StartMenuExperienceHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files\Google\StartMenuExperienceHost.exe
  "C:\Program Files\Google\StartMenuExperienceHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5964
- C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe
  C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe
  C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\host\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\dotnet\host\unsecapp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5456
- C:\Program Files\dotnet\host\unsecapp.exe
  "C:\Program Files\dotnet\host\unsecapp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\dotnet\host\unsecapp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5228
- C:\Program Files\dotnet\host\unsecapp.exe
  "C:\Program Files\dotnet\host\unsecapp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\comSavesSessionbrokerNet\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\comSavesSessionbrokerNet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\comSavesSessionbrokerNet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\Registry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\comSavesSessionbrokerNet\Registry.exe
  C:\comSavesSessionbrokerNet\Registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\Registry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004
- C:\comSavesSessionbrokerNet\Registry.exe
  C:\comSavesSessionbrokerNet\Registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\comSavesSessionbrokerNet\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\comSavesSessionbrokerNet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\comSavesSessionbrokerNet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\sppsvc.exe"
1⤵
PID:4024
- C:\comSavesSessionbrokerNet\sppsvc.exe
  C:\comSavesSessionbrokerNet\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\sppsvc.exe"
1⤵
PID:5812
- C:\comSavesSessionbrokerNet\sppsvc.exe
  C:\comSavesSessionbrokerNet\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5528
- C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe
  C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe
  C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\comSavesSessionbrokerNet\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\comSavesSessionbrokerNet\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\comSavesSessionbrokerNet\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\SearchApp.exe"
1⤵
PID:4876
- C:\comSavesSessionbrokerNet\SearchApp.exe
  C:\comSavesSessionbrokerNet\SearchApp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\comSavesSessionbrokerNet\SearchApp.exe"
1⤵
PID:1736
- C:\comSavesSessionbrokerNet\SearchApp.exe
  C:\comSavesSessionbrokerNet\SearchApp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6484

C:\comSavesSessionbrokerNet\Registry.exe
"C:\comSavesSessionbrokerNet\Registry.exe"
1⤵
- Executes dropped EXE
PID:6248

C:\Program Files\Google\StartMenuExperienceHost.exe
"C:\Program Files\Google\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
PID:6492

C:\Recovery\WindowsRE\WmiPrvSE.exe
"C:\Recovery\WindowsRE\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe
"C:\Windows\Temp\MsEdgeCrashpad\reports\fontdrvhost.exe"
1⤵
- Executes dropped EXE
PID:4764

C:\comSavesSessionbrokerNet\SearchApp.exe
"C:\comSavesSessionbrokerNet\SearchApp.exe"
1⤵
- Executes dropped EXE
PID:460

C:\comSavesSessionbrokerNet\Registry.exe
"C:\comSavesSessionbrokerNet\Registry.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Program Files\Internet Explorer\uk-UA\cmd.exe
"C:\Program Files\Internet Explorer\uk-UA\cmd.exe"
1⤵
- Executes dropped EXE
PID:5960

C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe
"C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe"
1⤵
- Executes dropped EXE
PID:1048

C:\comSavesSessionbrokerNet\sppsvc.exe
"C:\comSavesSessionbrokerNet\sppsvc.exe"
1⤵
- Executes dropped EXE
PID:4908

C:\Program Files\Google\StartMenuExperienceHost.exe
"C:\Program Files\Google\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\2c2456cde7c2d3d523bbee74f6\upfc.exe
"C:\2c2456cde7c2d3d523bbee74f6\upfc.exe"
1⤵
- Executes dropped EXE
PID:1596

C:\2c2456cde7c2d3d523bbee74f6\conhost.exe
"C:\2c2456cde7c2d3d523bbee74f6\conhost.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Recovery\WindowsRE\WmiPrvSE.exe
"C:\Recovery\WindowsRE\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe
"C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\pris\unsecapp.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\comSavesSessionbrokerNet\sihost.exe
"C:\comSavesSessionbrokerNet\sihost.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe
"C:\Program Files\dotnet\host\fxr\7.0.16\dllhost.exe"
1⤵
- Executes dropped EXE
PID:6668

C:\comSavesSessionbrokerNet\Registry.exe
"C:\comSavesSessionbrokerNet\Registry.exe"
1⤵
- Executes dropped EXE
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d3e3b5e1273bda8e93a0abee562807c

SHA1
c6375fe5052f2fec9a5a2ab8a4c4bf9ec8e639ef

SHA256
046fd8d338eb0b28918cf89402da857d9e524157cdcac165ea2721e72b944761

SHA512
768eef0f232a2825d3a9be729f83eb868f8cf967fb91c8f8a24f0e833c7435aa11665293bb6bd79ee46c17536ef90be2a9c7e247186de9b5a1eed631917a699f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04f8b18568d193acae445ca5a999b51e

SHA1
8689a167eac1f869574812bbd3c3a45d7f930c42

SHA256
1a38d4cf3e79f733fd7f7680e1b7d0234008e8afc7b862731906bb4ee5f11f25

SHA512
64718ea1e9599e5d17e895ec78ea204ea0352c56f2ccb3c47ed52e1fb91450e414223cc2e7d93a3dda89f2c936c4e931fd04f64ee1506feb57b3da3fa9850be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
346b9777c0e8e1d7fa7429006e4bf528

SHA1
5058dc9fad3f0169eb4abff659a381a8855ff3ea

SHA256
ffa0b5deff5dc5b46770a8221bcf539217fdc9865635fb7f52fe7a43a47f3caa

SHA512
f1df2f0b70ec46533aa8a5414d79f57b1c2bec8c6a8ce109eaaf83abb8d9f3eb75e9dd65d0552ec8c9f7f9ebb57e10d919515c291d724b6aafadb1bbfe91fd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3518a7f90930d502f4d1b09b397b78b4

SHA1
6cd988d96eccd227915e8534fff18103bfd4ce58

SHA256
3f69bc72d935d2f5cc9bcdd9fed36f3d7fd3dbb87964e0f0d106e5e4530a52cb

SHA512
ba0701c4db5ad19b9a2eb49f50d3835be65a4f331573ca56261a7d10b52a2ddd6d88965d2c516bb001bc8bce40e0603ec2d8f7d7ea5e347b10092e1c88584e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
62cd31601ec642598cd802554ef15fb4

SHA1
0049b1b7184269b4edbffd376e6f9d4567fb05fd

SHA256
b850c969ecd113360d1e233f2687b75e5450fb871173e12356d4b900bc21e2e6

SHA512
cd0770507bc1f9287d66a71ec38211be8b2b866588d52fa04397f9cddd524c174b2999a981da8a38e84e147117db40a403cc2856116158636b2e1e38b7233867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7470af1ed8952f64223230c5b35682e2

SHA1
fcbe3330ba8c2365364f7b1d8c10c9cab3609c6f

SHA256
8d75891c865a083ee4a1ede5895cf5359d646d51536d5b07a4038d11c48fd2fe

SHA512
d9f9a3ea7287d3b1ff081a676fb3d31a0a4f5bb26f6036a23ddd7166d5860d19c554f5409360a48a1298942163784f61f924dc501909665f804550612aa27f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d0f8e6be2b282dd11b4f6336647e234

SHA1
d1d28505cd31cd89d3bd611243e46e607640e1c1

SHA256
465a57ba6fdd5f3de41e33120bb0a8644c53f0e363b568cdf9199699c637d158

SHA512
c19a7b074a21e4321e538e166c4d9da7f1cd9c1425a8cd6eed2a56c78f5599ecae7bb923e9b0b73ecca45465d7316786cf61128df48b5856ed9fe694b1e4ea30

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cju4xzyn.54l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba89da13-14db-4c35-a491-70b70e2f1d19.vbs

Filesize
714B

MD5
dafbdcda096099f6f55ce9febf3c79f3

SHA1
2dad3b6a34b5848305a07d184404f478e7404987

SHA256
e2d306ebbeb83843571d289a8a8acc5768f515c51c39516df297d8b485a319e1

SHA512
6c442843ce0dec2471a69a212f9d7ca163527f6cd00ab43c1cee3369083038d4a579e51e854dd845bacc7a03f0d57d256e2b99314fe6ab1729df1c360ed02e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3179d9a-5e77-4bfa-b37c-d780cb049697.vbs

Filesize
714B

MD5
318e767c441d44e5c87f44728a654406

SHA1
071116e705ff1aed1e2641134f28bca5713d839b

SHA256
8f5396cf48d041a22716670d317be24f77658aa96981761b84d17f7a8c8ebbcf

SHA512
421c2fcd7d535421461df87e38dfb1b8600e9b0fd99080cc0d06150371b2ed54ff4a900135dbb0629e91ec02edcb7b603b01c98b82bc8e34a452d285f0cd93a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f784248a-8ab0-4239-87d6-92a351ce2481.vbs

Filesize
490B

MD5
7b1b58e052e4fd9c63e82a84cd0e3110

SHA1
2c2cebb0cab1b8a287820716c52fc5eec92b7f3b

SHA256
ac1256e1849e63b73851ef978fed7c9f8cb937565c3054e3ade39829a5cf73f6

SHA512
67d04288354068ec046f619e6f308146c86da9d4d60b1ae216ce33ee342b24b3c1cbbd3e5c819b2067ed6cc586adf4d36f22f1a6ef6591d62c0ac80fc40c57b6

Download Submit
C:\comSavesSessionbrokerNet\137ZAQtz7T0KfqnihMmUn1LNjeAvS.vbe

Filesize
223B

MD5
8bda878ad816fcdfc732fbe16002def1

SHA1
9bc892a09cb9f9d945c16ba0afdc90aad639fbd6

SHA256
bdf68e1db80c1d790b7cb64580f80efd0f5a1beed23c3a3da2c4ebae2c601f76

SHA512
fba6b63daa0efcc5fe54065c7c3cf80e71bd838937dd1bf6a7861b33bbdb409fde9f9cf6dc5019726cbd64ba2396b16aedf596271b5e0e03cab9c559417e1cdd

Download Submit
C:\comSavesSessionbrokerNet\ChainComsvc.exe

Filesize
1.1MB

MD5
96fcb717c20c4e1629883d7bc366794f

SHA1
4f06e5ec4234031b67889afcba11cddaa7b2115d

SHA256
8635b498be98d750486f1a5e832bb862fe8c2248e983435546459bf101632221

SHA512
56037e13339873710c672c68f584aa1e6a2682248993a679b93ae07ad3e7f51d93c09e078d1e5c25a58fbca6869040fd2c363f8af43e95da5c9ed4cb00d092c6

Download Submit
C:\comSavesSessionbrokerNet\Dwq7lixZ2zOO3JgtN3iMKD.bat

Filesize
45B

MD5
1b8d4bcf85b42a18e60f7df6b5473318

SHA1
523c9e522f785f220dbf69f9c14f81bc8b221c3c

SHA256
587df711b165a596ca89bb178776223a1200d8a349a50dc06ec7a20d0483d16c

SHA512
735141589a81eadd8c16ba08f2befcc3b029d19f01e9ed701e85ab2876bcb2182833b96683795473a094e2e6c953337ef40accec685fd71e178d55aabefe3662

Download Submit
memory/2984-313-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/4500-22-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/4500-15-0x00007FF876C83000-0x00007FF876C85000-memory.dmp

Filesize
8KB

Download
memory/4500-78-0x00007FF876C83000-0x00007FF876C85000-memory.dmp

Filesize
8KB

Download
memory/4500-21-0x0000000002EF0000-0x0000000002EFA000-memory.dmp

Filesize
40KB

Download
memory/4500-20-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/4500-19-0x000000001C500000-0x000000001CA28000-memory.dmp

Filesize
5.2MB

Download
memory/4500-18-0x00000000014F0000-0x0000000001502000-memory.dmp

Filesize
72KB

Download
memory/4500-17-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/4500-16-0x0000000000C00000-0x0000000000D2A000-memory.dmp

Filesize
1.2MB

Download
memory/5948-228-0x00000000014C0000-0x00000000014D2000-memory.dmp

Filesize
72KB

Download
memory/5948-299-0x0000000002D20000-0x0000000002D30000-memory.dmp

Filesize
64KB

Download
memory/6484-302-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-300-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-306-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-312-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-311-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-310-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-309-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-308-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-307-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6484-301-0x000002119C440000-0x000002119C441000-memory.dmp

Filesize
4KB

Download
memory/6992-110-0x000001D5CEFC0000-0x000001D5CEFE2000-memory.dmp

Filesize
136KB

Download