dcrat | 5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/11/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Size

1.5MB
MD5

8a3610882dcd50607fd3fa01d7a27b70
SHA1

3f3823159964a51f3e55decdbe83abaf79ba9d8a
SHA256

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781
SHA512

faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444
SSDEEP

24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 60 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2120	schtasks.exe
2388	schtasks.exe
2376	schtasks.exe
2448	schtasks.exe
1356	schtasks.exe
1704	schtasks.exe
3036	schtasks.exe
1428	schtasks.exe
1688	schtasks.exe
1540	schtasks.exe
904	schtasks.exe
2664	schtasks.exe
1120	schtasks.exe
2228	schtasks.exe
884	schtasks.exe
2616	schtasks.exe
2592	schtasks.exe
2976	schtasks.exe
2032	schtasks.exe
2672	schtasks.exe
1444	schtasks.exe
2648	schtasks.exe
2928	schtasks.exe
2780	schtasks.exe
1472	schtasks.exe
1140	schtasks.exe
1480	schtasks.exe
1452	schtasks.exe
1808	schtasks.exe
2168	schtasks.exe
1956	schtasks.exe
1752	schtasks.exe
2788	schtasks.exe
2244	schtasks.exe
3064	schtasks.exe
2872	schtasks.exe
2312	schtasks.exe
992	schtasks.exe
2316	schtasks.exe
1952	schtasks.exe
2160	schtasks.exe
2392	schtasks.exe
952	schtasks.exe
1944	schtasks.exe
1880	schtasks.exe
1544	schtasks.exe
2084	schtasks.exe
1084	schtasks.exe
1212	schtasks.exe
1448	schtasks.exe
1684	schtasks.exe
2764	schtasks.exe
2200	schtasks.exe
2880	schtasks.exe
2560	schtasks.exe
2256	schtasks.exe
2704	schtasks.exe
1796	schtasks.exe
1748	schtasks.exe
1768	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsass.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\", \"C:\\Windows\\SchCache\\taskhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\lsm.exe\", \"C:\\ProgramData\\Desktop\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2888	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
1768	powershell.exe
560	powershell.exe
1676	powershell.exe
284	powershell.exe
3036	powershell.exe
552	powershell.exe
536	powershell.exe
2932	powershell.exe
1476	powershell.exe
2688	powershell.exe
1584	powershell.exe
864	powershell.exe
2456	powershell.exe
1140	powershell.exe
1764	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	taskhost.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsass.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Microsoft\\lsass.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Uninstall Information\\spoolsv.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\services.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SchCache\\taskhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\ProgramData\\Desktop\\audiodg.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\WmiPrvSE.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX45E2.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Uninstall Information\spoolsv.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\24dbde2999530e	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX38F2.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX3CFA.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCX36EE.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX32E7.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\b75386f1303e64	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\SchCache\RCX4371.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\SchCache\taskhost.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\CSC\v2.0.6\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\SchCache\taskhost.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
1120	schtasks.exe
1356	schtasks.exe
2880	schtasks.exe
1704	schtasks.exe
2244	schtasks.exe
1480	schtasks.exe
1448	schtasks.exe
1540	schtasks.exe
2976	schtasks.exe
2160	schtasks.exe
1212	schtasks.exe
2704	schtasks.exe
1444	schtasks.exe
2788	schtasks.exe
1140	schtasks.exe
2872	schtasks.exe
952	schtasks.exe
1880	schtasks.exe
2032	schtasks.exe
2200	schtasks.exe
1428	schtasks.exe
1768	schtasks.exe
2388	schtasks.exe
2648	schtasks.exe
2616	schtasks.exe
2316	schtasks.exe
2664	schtasks.exe
2228	schtasks.exe
2780	schtasks.exe
884	schtasks.exe
1752	schtasks.exe
2448	schtasks.exe
2376	schtasks.exe
1952	schtasks.exe
992	schtasks.exe
1808	schtasks.exe
3064	schtasks.exe
1748	schtasks.exe
2120	schtasks.exe
1084	schtasks.exe
1472	schtasks.exe
2312	schtasks.exe
1452	schtasks.exe
904	schtasks.exe
1544	schtasks.exe
2084	schtasks.exe
1956	schtasks.exe
1944	schtasks.exe
1688	schtasks.exe
2256	schtasks.exe
1796	schtasks.exe
2592	schtasks.exe
3036	schtasks.exe
2672	schtasks.exe
2560	schtasks.exe
2764	schtasks.exe
2168	schtasks.exe
2392	schtasks.exe
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
552	powershell.exe
1676	powershell.exe
284	powershell.exe
1584	powershell.exe
864	powershell.exe
1768	powershell.exe
2932	powershell.exe
2456	powershell.exe
1140	powershell.exe
876	powershell.exe
3036	powershell.exe
560	powershell.exe
1476	powershell.exe
2688	powershell.exe
536	powershell.exe
1764	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1632	taskhost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3036	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	92
PID 2008 wrote to memory of 3036	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	92
PID 2008 wrote to memory of 3036	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	92
PID 2008 wrote to memory of 1584	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	93
PID 2008 wrote to memory of 1584	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	93
PID 2008 wrote to memory of 1584	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	93
PID 2008 wrote to memory of 876	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	94
PID 2008 wrote to memory of 876	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	94
PID 2008 wrote to memory of 876	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	94
PID 2008 wrote to memory of 560	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	95
PID 2008 wrote to memory of 560	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	95
PID 2008 wrote to memory of 560	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	95
PID 2008 wrote to memory of 1676	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	96
PID 2008 wrote to memory of 1676	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	96
PID 2008 wrote to memory of 1676	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	96
PID 2008 wrote to memory of 552	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	97
PID 2008 wrote to memory of 552	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	97
PID 2008 wrote to memory of 552	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	97
PID 2008 wrote to memory of 864	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	98
PID 2008 wrote to memory of 864	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	98
PID 2008 wrote to memory of 864	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	98
PID 2008 wrote to memory of 536	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	99
PID 2008 wrote to memory of 536	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	99
PID 2008 wrote to memory of 536	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	99
PID 2008 wrote to memory of 1768	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	100
PID 2008 wrote to memory of 1768	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	100
PID 2008 wrote to memory of 1768	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	100
PID 2008 wrote to memory of 2456	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	101
PID 2008 wrote to memory of 2456	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	101
PID 2008 wrote to memory of 2456	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	101
PID 2008 wrote to memory of 2932	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	102
PID 2008 wrote to memory of 2932	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	102
PID 2008 wrote to memory of 2932	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	102
PID 2008 wrote to memory of 1476	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	103
PID 2008 wrote to memory of 1476	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	103
PID 2008 wrote to memory of 1476	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	103
PID 2008 wrote to memory of 284	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	104
PID 2008 wrote to memory of 284	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	104
PID 2008 wrote to memory of 284	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	104
PID 2008 wrote to memory of 1140	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	105
PID 2008 wrote to memory of 1140	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	105
PID 2008 wrote to memory of 1140	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	105
PID 2008 wrote to memory of 1764	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	106
PID 2008 wrote to memory of 1764	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	106
PID 2008 wrote to memory of 1764	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	106
PID 2008 wrote to memory of 2688	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	107
PID 2008 wrote to memory of 2688	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	107
PID 2008 wrote to memory of 2688	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	107
PID 2008 wrote to memory of 1632	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	124
PID 2008 wrote to memory of 1632	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	124
PID 2008 wrote to memory of 1632	2008	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
"C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Desktop\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SchCache\taskhost.exe
  "C:\Windows\SchCache\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hwFOlsm" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PuuIlsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ZTwjlsm" /sc ONSTART /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "rgFkaudiodg" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "W9jSaudiodg" /sc ONLOGON /tr "'C:\ProgramData\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e3z0audiodg" /sc ONSTART /tr "'C:\ProgramData\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Desktop\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eHXElsass" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "w113lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GPlulsass" /sc ONSTART /tr "'C:\Users\All Users\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntfzservices" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dBF6services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sRRxservices" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ZrMyIdle" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "51URIdle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xSH2Idle" /sc ONSTART /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cQHLWmiPrvSE" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GQI1WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NqnCWmiPrvSE" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UVYawininit" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "jBTOwininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ElvPwininit" /sc ONSTART /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "YofUlsm" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yFoQlsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iFxnlsm" /sc ONSTART /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Semycsrss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lFZscsrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "koH6csrss" /sc ONSTART /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DT3Dsppsvc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "inVvsppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76XYsppsvc" /sc ONSTART /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08XDlsm" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Y7NHlsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lVPglsm" /sc ONSTART /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "GHXdtaskhost" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "S6C8taskhost" /sc ONLOGON /tr "'C:\Windows\SchCache\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BPPptaskhost" /sc ONSTART /tr "'C:\Windows\SchCache\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "qqjvspoolsv" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ASYDspoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "S1SZspoolsv" /sc ONSTART /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bm2Ecsrss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6nVIcsrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "y2lxcsrss" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7DuIlsass" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Mjwxlsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IOSXlsass" /sc ONSTART /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\csrss.exe

Filesize
1.5MB

MD5
34c620c40551defe1cecdddd28f7cbcc

SHA1
c304d3147437d80d35c3b1df8d3ed565fe201d5a

SHA256
fd6656ac37d74069db3b993045604004b6ec1068650ab544e841d07bf2da071d

SHA512
6e58ef6c3a2e30b34570dfd4161127c214849caf347fd6ab63cf816a451a0e383a3c3bd452ff239e7a75bae48941a0f28924d757a7000ab905c00f58783fab52

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe

Filesize
1.5MB

MD5
8a3610882dcd50607fd3fa01d7a27b70

SHA1
3f3823159964a51f3e55decdbe83abaf79ba9d8a

SHA256
5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

SHA512
faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8e322281acdcfcebb54503efe6648d39

SHA1
b37a0800f88773fdc311a1e5c0d51f6e53cca284

SHA256
c4f92c46f8a838bc8e0f953a513e1c6bb2636b388057fe05362395a5e3679031

SHA512
ecaca6a428240b48fa656c1a9fc827639ed32027e83e680fb1c935b9451d3de1bc257c7a037ade887b0b3b0ecf8309db91efdd8c50eb339a944f100643473b0a

Download Submit
C:\Windows\SchCache\taskhost.exe

Filesize
1.5MB

MD5
3e1f2d4de91050cf0c48f6e784bd9bb1

SHA1
f85614263dccba8ce79c3a44c9954ae49c8de8c2

SHA256
44674a9932aea3b399f7515b40375233d275dd9a0958e0201e6c86a67075fc62

SHA512
aa43f1941f8c47f445e142c89bc857c37601f2f8bdf8ed3ac124cb7f906f693998d002aceeaf0e41b6d6d382bffc38a467bce4ae10a46525b64bca1269d59946

Download Submit
memory/552-182-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/552-184-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1632-151-0x0000000000E80000-0x000000000100C000-memory.dmp

Filesize
1.5MB

Download
memory/2008-6-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2008-7-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/2008-9-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/2008-10-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2008-11-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2008-12-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/2008-13-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2008-8-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/2008-5-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/2008-129-0x000007FEF6BF3000-0x000007FEF6BF4000-memory.dmp

Filesize
4KB

Download
memory/2008-143-0x000007FEF6BF0000-0x000007FEF75DC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-0-0x000007FEF6BF3000-0x000007FEF6BF4000-memory.dmp

Filesize
4KB

Download
memory/2008-4-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2008-3-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/2008-2-0x000007FEF6BF0000-0x000007FEF75DC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-1-0x00000000010D0000-0x000000000125C000-memory.dmp

Filesize
1.5MB

Download