dcrat | cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
Size

1.8MB
MD5

37c85ad6a6a43784e086433a06cc85c6
SHA1

c51a7935cd6b16305e125a4b5cc9e162923429bf
SHA256

cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4
SHA512

e6a73a792c99fe1d254c44d7ac00159608d117cf629ecf5c17b4b0eb4c65a0943f45fb6cc6e68d2a0440ed8bcacbc6e189d7ef55eef3a214868c751a69d562a8
SSDEEP

49152:QodoalH3Fh0dZXAZPabJ10r+vJqB1zRIm:Qod93fQwFkhO2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1628	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2408-1-0x0000000000A60000-0x0000000000C28000-memory.dmp	dcrat
behavioral1/files/0x000500000001960d-27.dat	dcrat
behavioral1/files/0x000c0000000186fd-114.dat	dcrat
behavioral1/files/0x000a000000019611-172.dat	dcrat
behavioral1/files/0x0008000000019621-183.dat	dcrat
behavioral1/memory/2520-257-0x0000000000B20000-0x0000000000CE8000-memory.dmp	dcrat
behavioral1/memory/2924-270-0x0000000001270000-0x0000000001438000-memory.dmp	dcrat
behavioral1/memory/2888-354-0x0000000000110000-0x00000000002D8000-memory.dmp	dcrat
behavioral1/memory/2684-366-0x0000000000FF0000-0x00000000011B8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2632	powershell.exe
2224	powershell.exe
980	powershell.exe
2644	powershell.exe
2600	powershell.exe
1148	powershell.exe
3036	powershell.exe
3044	powershell.exe
108	powershell.exe
2840	powershell.exe
2612	powershell.exe
2756	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe

Executes dropped EXE 10 IoCs

pid	Process
2520	sppsvc.exe
2924	sppsvc.exe
2132	sppsvc.exe
1820	sppsvc.exe
2144	sppsvc.exe
1824	sppsvc.exe
2768	sppsvc.exe
2884	sppsvc.exe
2888	sppsvc.exe
2684	sppsvc.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\0a1fd5f707cd16	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\Idle.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXE141.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\services.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files\Common Files\System\es-ES\Idle.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files\Windows Mail\ja-JP\services.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RCXD226.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RCXD227.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXDD37.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXE1AF.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files\Common Files\System\es-ES\6ccacd8608530f	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Program Files\Windows Mail\ja-JP\c5b4cb5e9653cc	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXDD38.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\System.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\System.exe	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File created	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\27d1bcfc3c54e0	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\RCXD8C1.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\RCXD8C2.tmp	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe
1512	schtasks.exe
2584	schtasks.exe
3068	schtasks.exe
3012	schtasks.exe
2692	schtasks.exe
2884	schtasks.exe
2660	schtasks.exe
1828	schtasks.exe
2592	schtasks.exe
1504	schtasks.exe
1872	schtasks.exe
2804	schtasks.exe
1392	schtasks.exe
112	schtasks.exe
1976	schtasks.exe
2860	schtasks.exe
1104	schtasks.exe
1428	schtasks.exe
1216	schtasks.exe
1148	schtasks.exe
2356	schtasks.exe
2036	schtasks.exe
1780	schtasks.exe
2120	schtasks.exe
316	schtasks.exe
2200	schtasks.exe
2724	schtasks.exe
2208	schtasks.exe
2872	schtasks.exe
2832	schtasks.exe
2904	schtasks.exe
2008	schtasks.exe
2636	schtasks.exe
2764	schtasks.exe
1088	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2520	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
3036	powershell.exe
3044	powershell.exe
2600	powershell.exe
1148	powershell.exe
2644	powershell.exe
2224	powershell.exe
108	powershell.exe
2612	powershell.exe
2756	powershell.exe
2840	powershell.exe
2632	powershell.exe
980	powershell.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe
2520	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2520	sppsvc.exe
Token: SeDebugPrivilege	2924	sppsvc.exe
Token: SeDebugPrivilege	2132	sppsvc.exe
Token: SeDebugPrivilege	1820	sppsvc.exe
Token: SeDebugPrivilege	2144	sppsvc.exe
Token: SeDebugPrivilege	1824	sppsvc.exe
Token: SeDebugPrivilege	2768	sppsvc.exe
Token: SeDebugPrivilege	2884	sppsvc.exe
Token: SeDebugPrivilege	2888	sppsvc.exe
Token: SeDebugPrivilege	2684	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2840	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	68
PID 2408 wrote to memory of 2840	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	68
PID 2408 wrote to memory of 2840	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	68
PID 2408 wrote to memory of 2644	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	69
PID 2408 wrote to memory of 2644	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	69
PID 2408 wrote to memory of 2644	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	69
PID 2408 wrote to memory of 2600	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	70
PID 2408 wrote to memory of 2600	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	70
PID 2408 wrote to memory of 2600	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	70
PID 2408 wrote to memory of 2612	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	71
PID 2408 wrote to memory of 2612	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	71
PID 2408 wrote to memory of 2612	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	71
PID 2408 wrote to memory of 2756	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	72
PID 2408 wrote to memory of 2756	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	72
PID 2408 wrote to memory of 2756	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	72
PID 2408 wrote to memory of 1148	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	73
PID 2408 wrote to memory of 1148	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	73
PID 2408 wrote to memory of 1148	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	73
PID 2408 wrote to memory of 3036	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	75
PID 2408 wrote to memory of 3036	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	75
PID 2408 wrote to memory of 3036	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	75
PID 2408 wrote to memory of 2632	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	76
PID 2408 wrote to memory of 2632	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	76
PID 2408 wrote to memory of 2632	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	76
PID 2408 wrote to memory of 2224	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	77
PID 2408 wrote to memory of 2224	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	77
PID 2408 wrote to memory of 2224	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	77
PID 2408 wrote to memory of 3044	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	78
PID 2408 wrote to memory of 3044	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	78
PID 2408 wrote to memory of 3044	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	78
PID 2408 wrote to memory of 108	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	79
PID 2408 wrote to memory of 108	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	79
PID 2408 wrote to memory of 108	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	79
PID 2408 wrote to memory of 980	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	80
PID 2408 wrote to memory of 980	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	80
PID 2408 wrote to memory of 980	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	80
PID 2408 wrote to memory of 1768	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	92
PID 2408 wrote to memory of 1768	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	92
PID 2408 wrote to memory of 1768	2408	cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe	92
PID 1768 wrote to memory of 1440	1768	cmd.exe	94
PID 1768 wrote to memory of 1440	1768	cmd.exe	94
PID 1768 wrote to memory of 1440	1768	cmd.exe	94
PID 1768 wrote to memory of 2520	1768	cmd.exe	95
PID 1768 wrote to memory of 2520	1768	cmd.exe	95
PID 1768 wrote to memory of 2520	1768	cmd.exe	95
PID 1768 wrote to memory of 2520	1768	cmd.exe	95
PID 1768 wrote to memory of 2520	1768	cmd.exe	95
PID 2520 wrote to memory of 2712	2520	sppsvc.exe	96
PID 2520 wrote to memory of 2712	2520	sppsvc.exe	96
PID 2520 wrote to memory of 2712	2520	sppsvc.exe	96
PID 2520 wrote to memory of 2732	2520	sppsvc.exe	97
PID 2520 wrote to memory of 2732	2520	sppsvc.exe	97
PID 2520 wrote to memory of 2732	2520	sppsvc.exe	97
PID 2712 wrote to memory of 2924	2712	WScript.exe	98
PID 2712 wrote to memory of 2924	2712	WScript.exe	98
PID 2712 wrote to memory of 2924	2712	WScript.exe	98
PID 2712 wrote to memory of 2924	2712	WScript.exe	98
PID 2712 wrote to memory of 2924	2712	WScript.exe	98
PID 2924 wrote to memory of 1972	2924	sppsvc.exe	99
PID 2924 wrote to memory of 1972	2924	sppsvc.exe	99
PID 2924 wrote to memory of 1972	2924	sppsvc.exe	99
PID 2924 wrote to memory of 1696	2924	sppsvc.exe	100
PID 2924 wrote to memory of 1696	2924	sppsvc.exe	100
PID 2924 wrote to memory of 1696	2924	sppsvc.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe
"C:\Users\Admin\AppData\Local\Temp\cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5GcfX8wsEj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1440
- - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
    "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d93e58f-d3d2-4846-aae2-50b822ff318f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\befb54d9-0afa-490e-9fb2-25fd08d79ec9.vbs"
        6⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3557cd0e-38b5-4072-a46f-02ef5cf188aa.vbs"
        8⤵
        
        PID:2004
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57d7aa22-81ec-43ab-9198-117b4de0ec28.vbs"
        10⤵
        
        PID:532
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83f950a2-ef3c-48b6-8a0d-4235834396eb.vbs"
        12⤵
        
        PID:2792
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccfdd9da-12e1-43c6-baa6-6435516b00c6.vbs"
        14⤵
        
        PID:1252
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50ca9588-a38f-4378-bb6f-2468240e9e4f.vbs"
        16⤵
        
        PID:2900
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\804533f9-cf7e-4c6f-adde-f8915bc318cc.vbs"
        18⤵
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bfd5ee-e935-4c2c-b52d-02f4c23455d8.vbs"
        20⤵
        
        PID:1592
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603def74-45ec-4e74-b24a-cb1ab3c46fc0.vbs"
        20⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cf0d431-87d8-46dd-a655-48a74505809d.vbs"
        18⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fc0bc21-796b-4933-8b27-72230ca4cc51.vbs"
        16⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab66644-3062-450d-a27a-e14178540376.vbs"
        14⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b37b9813-05d1-49db-a2dc-103e14d62baa.vbs"
        12⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dccf7ac8-a2ae-40c6-aa44-ad01d8ccfb90.vbs"
        10⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e098a62-fb4a-49fa-8935-a20dd0897cf5.vbs"
        8⤵
        
        PID:2640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f709cbb8-0969-43f6-845f-1a258d5bf4cb.vbs"
        6⤵
        
        PID:1696
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25d2b32c-f2a5-486a-ab6e-8badc0c8d60e.vbs"
      4⤵
      PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\Shell\NormalColor\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\Shell\NormalColor\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\Shell\NormalColor\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe

Filesize
1.8MB

MD5
b0efee74737e21941a8d1357b6e1aa3f

SHA1
5108ac6529840427b42f8575c357fea4049e0a77

SHA256
71def4010f9bee36442ac1b0816f44a8cc1aa815b1ab34a9ad3e6f5ba94d8e63

SHA512
5cbc9284addc8b9b854460caa71d550ebddaf0d106c72586709966f324ab31e8b4752d57c27bf09d9483210e5d98de4f370da94c3b9fd4a3dec34bafa7323148

Download Submit
C:\Program Files\Windows Mail\ja-JP\services.exe

Filesize
1.8MB

MD5
d92444648367a7d9fbeee311f888c2d0

SHA1
f9c001af94399b0edba14727a005c58b11c35aff

SHA256
5bfc2cee86d28108bb6c6b925730eb5fb2e2037bd57f47b789cb438128e8e879

SHA512
9ab9aa14d34d5133e35dc40a0be0c3b5ab603f36b79e79844a1ca10bc660b23dbbbd2fdb7bb920af852ce7d3f22f10d654765512af7f8785ba28c70fdb984b0b

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe

Filesize
1.8MB

MD5
37c85ad6a6a43784e086433a06cc85c6

SHA1
c51a7935cd6b16305e125a4b5cc9e162923429bf

SHA256
cf9783f6f488f40f6b9309486b65c4218233e6b93403f662d357f3fc2b88a1f4

SHA512
e6a73a792c99fe1d254c44d7ac00159608d117cf629ecf5c17b4b0eb4c65a0943f45fb6cc6e68d2a0440ed8bcacbc6e189d7ef55eef3a214868c751a69d562a8

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe

Filesize
1.8MB

MD5
d41514171daf8f7cc63bed05b4aebc72

SHA1
dfe2241c463787f78c38590d379326ae145fd39f

SHA256
737264315aa56a07baa05ffe4aed950f6aad15e2a00becf3291d834881f7e13d

SHA512
ac4c355c5342df9ad87c0fb7b0f27ce6d64186ae64855617f396b5b96d948fa30317de73472264cec829caed3386050e71f92d46a5c382ba782635dc2d67068a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25d2b32c-f2a5-486a-ab6e-8badc0c8d60e.vbs

Filesize
516B

MD5
5c99b7a4ed5d80486e482dce4e74e578

SHA1
52ddb75be7bb48e99dd62b620a390f92e5165fd9

SHA256
90ad89a919ed59eac3a27b6d6113ee3363ef8c4714c6ff6859c458f47ee2ee07

SHA512
0cec179b409693d6e659d15f4f65b0d82a7d7a076a519fe644f463d393ea59f316a68170438cd82933778b763948acb4190be276b4aad049ebe1e6fc73049440

Download Submit
C:\Users\Admin\AppData\Local\Temp\3557cd0e-38b5-4072-a46f-02ef5cf188aa.vbs

Filesize
740B

MD5
70f18049e27a616272bba2c2aab46fd9

SHA1
3087c590edc7eac3a99e8f23193f3949b505e145

SHA256
f56222c372688dee78ae7b65811bd033c7a913509643fc1fb520dacb8664bc56

SHA512
dd5132712482e74bc08b5eea0b87e5bb41d2eba2dec8187a4be1f5fab7156ea6e96b0b8650b01fce1af15a5e7bce58348eebebc0554efe194c8779f0abd185a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\50ca9588-a38f-4378-bb6f-2468240e9e4f.vbs

Filesize
740B

MD5
3d74756086995afd6b9787255708fe29

SHA1
e580873e3453f18f2f6bcceb81172d6ac96e86e0

SHA256
ba9b9c4592416e1eb8886e9ebab499c27fa37b5b992f09a5788746f458bfe017

SHA512
ed58f20e5fe5e1bd5a35623a15f08434c9ca929098a8169b985d2f68d311b0aede9cf3ff2b4727e9d95d8f6c7408cef412318adee569597dc461be03fcd1a996

Download Submit
C:\Users\Admin\AppData\Local\Temp\57d7aa22-81ec-43ab-9198-117b4de0ec28.vbs

Filesize
740B

MD5
39d01d17551ec374abc6cd2c8b634cb5

SHA1
11f74e024d9fc43b08913f821fbd7e559a1056d8

SHA256
3e855c64cf4046072a452e394c88171dbbd5b044759052567bb06846f62e3bac

SHA512
bcad94cf37d4d07a078e236a00ef2a4eefc1f25f26dfb2e46daad0d9f6cec93c97e01cb478a81e72eb52330d76484ba6bdb2c7c6fd52370de9198c80cf8401ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\5GcfX8wsEj.bat

Filesize
229B

MD5
353fc130a780e9b345c085988239934b

SHA1
22fe1b5789f26f1841b50d955e9f7e5472cdf1df

SHA256
e1fdaa128cca05d08679fb1efb71243e4a50dcfa01538910c48096595c141ef7

SHA512
1b57b30cc6607b4a3ce261de9087972eb447ef574d0aefc4dca7170d8232595add7c39f7bb570fb353a24a75d22100cebc25e0375394deb15da3d5e28491dea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d93e58f-d3d2-4846-aae2-50b822ff318f.vbs

Filesize
740B

MD5
69c714fdf358ffb31c53aa78c4d0199b

SHA1
288aed670feb70c309ff3ea001b565e4408d23e3

SHA256
ab57e027ff5cee7cca4cc89d6974ba64d5a9a1b2e2784bcc9b08ee75ab9bc386

SHA512
8974767afe6709347fbaa1497c73d0266b9e9080212c8cb8600651780fdc48c759673a48fb38ce3d1400b22161d2c80fe0cac1250e34c356411c0c265e1ae108

Download Submit
C:\Users\Admin\AppData\Local\Temp\804533f9-cf7e-4c6f-adde-f8915bc318cc.vbs

Filesize
740B

MD5
19aca790e8ab66e33d40f38a7fef51b1

SHA1
72ef011be139b8be3b1aecbe5f0ec6e87974038a

SHA256
f55ab0cf547f40c43807e4f2f95d1bd96cd429b550de810fdcc07df6e35f2951

SHA512
1676c34c7eac14f8e86d2e8388d13c2aaebc65fee1692d798298254e6ad48ff63ce617e8647edfcb8a96009d9435ad4238256aaa715bd489343ba766de743835

Download Submit
C:\Users\Admin\AppData\Local\Temp\83f950a2-ef3c-48b6-8a0d-4235834396eb.vbs

Filesize
740B

MD5
4b67573f5d7f9ae162e0210ead07e7d6

SHA1
11511e66d4d2b54cd29928a728a24ad440c9fe00

SHA256
dbc7dfaa58d0f4e831b81ebaa270d5582d96f33dbc1fe545bd6bc8a376f11bf7

SHA512
952b93571051f39b89d28fd06c80ae7899d57f0ac9b71357d66e4f34c49184e533b4f518263011b35ed3950041faf34de8f3c322d8d26ed54e31a4bb9b82082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\befb54d9-0afa-490e-9fb2-25fd08d79ec9.vbs

Filesize
740B

MD5
d3b4c0df4805475286d27df38b050b15

SHA1
7ff9ef33a1fd5cebd79f0b6b012d5132f79572ce

SHA256
20d7be350b224900d32b5544f9c7c97e5a0c8db34adfba1fb547c273abe1ca14

SHA512
cc96b480b6f8c1084aca92626c2fe38547f9df7237000edbd5c6e55b7b854908188ac91b55657071e59dd571716177bce7dc388dde050b227b4b00be0c3dd3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccfdd9da-12e1-43c6-baa6-6435516b00c6.vbs

Filesize
740B

MD5
d906f5669a397bd0228e471a56ebc8ae

SHA1
634547739d78866109c6a5bf853b5b3b98e77f2f

SHA256
b275394d96bea227be1fb533e00e749da392bfda1145ddb26a196c064f9e8453

SHA512
40e4b3f855104869b3f6cbbbbd2a643685b40393e68b3bbe48e35461d8889bd050011b9b4495c0940975205cfc6aa2390a7cae6744b3dc83de7d66e46274c80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5bfd5ee-e935-4c2c-b52d-02f4c23455d8.vbs

Filesize
740B

MD5
c1965d6f2d239e03f7513ca9201248be

SHA1
6213b82d5b78c60665f207e167d18f54aeed0ef5

SHA256
36e9fce3213430f19381133acbb54cfaea2c209a6540fd51f06fd39032a729c2

SHA512
11d5742779a388e9d655cbee08caaa4018dd0f005baa3ed974e64870a52ec232f512dc6b88ddb53b32579f55eed5c2332ccbaa19a912908aa80db3a21b357cea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa53909a547dfc04976ce2a0a7873bad

SHA1
24470779b9c3e27e089198992bd9b0fc62723ec6

SHA256
6dfa1c842c1e6f5bf0687fe7119249344bc7d3eed645aaad7173f2d723568e94

SHA512
dfbd78105250367c3977d562ec86735fe412b5c0d36db9736a06f09b98baac14d37509b0ff64d378703af38c65247704364d6cf88306890fc48f4b93f3eeb128

Download Submit
memory/1820-296-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2132-284-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2408-13-0x00000000022E0000-0x00000000022EC000-memory.dmp

Filesize
48KB

Download
memory/2408-3-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2408-17-0x000000001A940000-0x000000001A94C000-memory.dmp

Filesize
48KB

Download
memory/2408-16-0x000000001A930000-0x000000001A938000-memory.dmp

Filesize
32KB

Download
memory/2408-186-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2408-192-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-14-0x000000001A920000-0x000000001A92A000-memory.dmp

Filesize
40KB

Download
memory/2408-1-0x0000000000A60000-0x0000000000C28000-memory.dmp

Filesize
1.8MB

Download
memory/2408-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-15-0x000000001A910000-0x000000001A91E000-memory.dmp

Filesize
56KB

Download
memory/2408-20-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-4-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2408-5-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2408-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2408-12-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/2408-7-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2408-6-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/2408-8-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2408-10-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2408-9-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/2520-257-0x0000000000B20000-0x0000000000CE8000-memory.dmp

Filesize
1.8MB

Download
memory/2520-259-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/2520-258-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2684-367-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2684-366-0x0000000000FF0000-0x00000000011B8000-memory.dmp

Filesize
1.8MB

Download
memory/2884-341-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2884-342-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2888-354-0x0000000000110000-0x00000000002D8000-memory.dmp

Filesize
1.8MB

Download
memory/2924-272-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/2924-270-0x0000000001270000-0x0000000001438000-memory.dmp

Filesize
1.8MB

Download
memory/2924-271-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/3036-203-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/3036-204-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download