dcrat | 46116c9ab1a99b38621209da4c405a638542e11e818f8b93929bba881e619199

Analysis

max time kernel
117s
max time network
85s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Size

1.1MB
MD5

2ba1b8f482ac5910dcaa3dd5803c3e01
SHA1

e7928803a85484b7c47e8ab005d900b47ba4f4f0
SHA256

46116c9ab1a99b38621209da4c405a638542e11e818f8b93929bba881e619199
SHA512

55dccab037e6ad7a6dcab0cb3fd5f00952c573ae2250cb9ec3d0e5034256e2de69f60b5e383a303fbc72c12de912ad0782ccbc90500fb778ea9a5cbb873192b7
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdE:EPkVXFGDQoP7FRCZRonh4hfewhmpdE

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	348	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	348	schtasks.exe	31

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2580-18-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2580-20-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2580-23-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2580-14-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2580-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2980-358-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2980-360-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
576	powershell.exe
2616	powershell.exe
2636	powershell.exe
2152	powershell.exe
1876	powershell.exe
2200	powershell.exe
568	powershell.exe
1672	powershell.exe
2136	powershell.exe
2068	powershell.exe
1696	powershell.exe
1992	powershell.exe
1684	powershell.exe
2980	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2556	csrss.exe
1692	csrss.exe
2100	csrss.exe
2616	csrss.exe
1664	csrss.exe
2980	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2660	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2556 set thread context of 2100	2556	csrss.exe	106
PID 2616 set thread context of 2980	2616	csrss.exe	112

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXCBA4.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXCE16.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\7-Zip\Lang\wininit.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXCBA3.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC6FE.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC690.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\wininit.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXCDA7.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\24dbde2999530e	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\dllhost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\Resources\RCXDD5F.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\RCXE00F.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\RCXE07D.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\Resources\dwm.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\L2Schemas\dllhost.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\L2Schemas\RCXDB5B.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\Resources\RCXDDCD.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\Resources\dwm.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\L2Schemas\5940a34987c991	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\Resources\6cb0b6c459d5d3	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\0a1fd5f707cd16	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Windows\L2Schemas\RCXDB5A.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2004	schtasks.exe
1628	schtasks.exe
2960	schtasks.exe
2616	schtasks.exe
2380	schtasks.exe
1408	schtasks.exe
1744	schtasks.exe
904	schtasks.exe
1168	schtasks.exe
2724	schtasks.exe
1664	schtasks.exe
672	schtasks.exe
2164	schtasks.exe
2340	schtasks.exe
2080	schtasks.exe
2192	schtasks.exe
1740	schtasks.exe
1096	schtasks.exe
2268	schtasks.exe
2232	schtasks.exe
1284	schtasks.exe
1576	schtasks.exe
1448	schtasks.exe
1600	schtasks.exe
2408	schtasks.exe
2464	schtasks.exe
2584	schtasks.exe
572	schtasks.exe
968	schtasks.exe
2300	schtasks.exe
2644	schtasks.exe
2316	schtasks.exe
2500	schtasks.exe
868	schtasks.exe
2636	schtasks.exe
2084	schtasks.exe
1984	schtasks.exe
2276	schtasks.exe
704	schtasks.exe
2872	schtasks.exe
576	schtasks.exe
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1696	powershell.exe
2616	powershell.exe
2980	powershell.exe
2152	powershell.exe
2068	powershell.exe
2636	powershell.exe
1672	powershell.exe
1684	powershell.exe
2180	powershell.exe
568	powershell.exe
2136	powershell.exe
2200	powershell.exe
1876	powershell.exe
1992	powershell.exe
576	powershell.exe
2556	csrss.exe
2556	csrss.exe
2100	csrss.exe
2616	csrss.exe
2616	csrss.exe
2980	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2556	csrss.exe
Token: SeDebugPrivilege	2100	csrss.exe
Token: SeDebugPrivilege	2616	csrss.exe
Token: SeDebugPrivilege	2980	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2640 wrote to memory of 2580	2640	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	30
PID 2580 wrote to memory of 2180	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	74
PID 2580 wrote to memory of 2180	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	74
PID 2580 wrote to memory of 2180	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	74
PID 2580 wrote to memory of 2180	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	74
PID 2580 wrote to memory of 1696	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	75
PID 2580 wrote to memory of 1696	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	75
PID 2580 wrote to memory of 1696	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	75
PID 2580 wrote to memory of 1696	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	75
PID 2580 wrote to memory of 2636	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	77
PID 2580 wrote to memory of 2636	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	77
PID 2580 wrote to memory of 2636	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	77
PID 2580 wrote to memory of 2636	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	77
PID 2580 wrote to memory of 2200	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	79
PID 2580 wrote to memory of 2200	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	79
PID 2580 wrote to memory of 2200	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	79
PID 2580 wrote to memory of 2200	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	79
PID 2580 wrote to memory of 576	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	82
PID 2580 wrote to memory of 576	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	82
PID 2580 wrote to memory of 576	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	82
PID 2580 wrote to memory of 576	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	82
PID 2580 wrote to memory of 2980	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	83
PID 2580 wrote to memory of 2980	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	83
PID 2580 wrote to memory of 2980	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	83
PID 2580 wrote to memory of 2980	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	83
PID 2580 wrote to memory of 2068	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	84
PID 2580 wrote to memory of 2068	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	84
PID 2580 wrote to memory of 2068	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	84
PID 2580 wrote to memory of 2068	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	84
PID 2580 wrote to memory of 2136	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	85
PID 2580 wrote to memory of 2136	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	85
PID 2580 wrote to memory of 2136	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	85
PID 2580 wrote to memory of 2136	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	85
PID 2580 wrote to memory of 1684	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	87
PID 2580 wrote to memory of 1684	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	87
PID 2580 wrote to memory of 1684	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	87
PID 2580 wrote to memory of 1684	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	87
PID 2580 wrote to memory of 1992	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	89
PID 2580 wrote to memory of 1992	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	89
PID 2580 wrote to memory of 1992	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	89
PID 2580 wrote to memory of 1992	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	89
PID 2580 wrote to memory of 568	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	91
PID 2580 wrote to memory of 568	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	91
PID 2580 wrote to memory of 568	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	91
PID 2580 wrote to memory of 568	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	91
PID 2580 wrote to memory of 2616	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	94
PID 2580 wrote to memory of 2616	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	94
PID 2580 wrote to memory of 2616	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	94
PID 2580 wrote to memory of 2616	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	94
PID 2580 wrote to memory of 2152	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	96
PID 2580 wrote to memory of 2152	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	96
PID 2580 wrote to memory of 2152	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	96
PID 2580 wrote to memory of 2152	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	96
PID 2580 wrote to memory of 1876	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	97
PID 2580 wrote to memory of 1876	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	97
PID 2580 wrote to memory of 1876	2580	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
"C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe
    "C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
  - - C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1692
  - - C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2100
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d00eaf4-bba4-4ff1-bd9c-a56994c187c8.vbs"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
      - C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45eb317a-bfcc-48aa-b627-2b6e235a4cae.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a22c3c81-3490-44b3-9e4f-eca2a6a6159d.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:576
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4766bf50-212b-47d7-9303-b565d749d089.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Resources\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe

Filesize
1.1MB

MD5
2ba1b8f482ac5910dcaa3dd5803c3e01

SHA1
e7928803a85484b7c47e8ab005d900b47ba4f4f0

SHA256
46116c9ab1a99b38621209da4c405a638542e11e818f8b93929bba881e619199

SHA512
55dccab037e6ad7a6dcab0cb3fd5f00952c573ae2250cb9ec3d0e5034256e2de69f60b5e383a303fbc72c12de912ad0782ccbc90500fb778ea9a5cbb873192b7

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe

Filesize
1.1MB

MD5
5836c7c35920bd020e3a760f6ed0729e

SHA1
7a60c2843592770c2f645ec2adb66dc65dfb58fd

SHA256
17d84195b925230ae3d1e01bdcf0cc0f8564a7713de13065dbc9004a6153094b

SHA512
5c049a0c0938b7f0750eede31f6ff263d9ac029b3924898df468944b6273fc98a50b5d73673f45654b2197b555d7085c81d6ec9f42677ff01aa8945b20217922

Download Submit
C:\Program Files\7-Zip\Lang\wininit.exe

Filesize
1.1MB

MD5
f0f426e4f3f9264b62832d19b0fd82df

SHA1
e0e726a102c925744f1f3867b88088ed83343618

SHA256
856bd42fa012c0e13a827169b8f97f047dcb125a26462cf5b72fc44a877f5bcd

SHA512
f92a9052b13569326c2e4965a776e53401a76e34ff1aec305bd6d2f59e168b9c559708f0a1a72a04836a026b97e5903edc12cd28c20589c3cd3819927b03c854

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe

Filesize
1.1MB

MD5
67f0c1a1e8dfa7551d4b8547d81630d7

SHA1
7a9d79e60575ce08b9cca7e223e40b2f8b5ffb9e

SHA256
574a06d2add9ca491c8bc4d98a35b30cf6a08293f5a5dbcd7bc4f9b3eba11bc7

SHA512
ff9c4738f22fb13ddb17007d0e7d8e72254e24bb68b89e42c93c17d136ea7f7facae3824bfbed3a68d27ffbb8f1360cb80c9dd027d8e186d8ddfb949efae4a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\45eb317a-bfcc-48aa-b627-2b6e235a4cae.vbs

Filesize
731B

MD5
45c2ca7dc6eeaf55e4e06df1a5f03250

SHA1
a02a9ad4d34b5e2bf1bad79af6db3e0014a12770

SHA256
44c2daa3e552252638512d883eee349e716213c4858a9b1675b7bcafcb5d69c4

SHA512
8c5dd75db559c9532cc9fccab2831ff6b0e94e4dfc19c30ddb4280e6030d30f1759fa57daf0b6ccf67f855fb106764ffc77f2085017e738aea65a2bc5660ce76

Download Submit
C:\Users\Admin\AppData\Local\Temp\4766bf50-212b-47d7-9303-b565d749d089.vbs

Filesize
507B

MD5
6068ddd45400f89a15fae8546fdc9f7c

SHA1
0556208b8650be81b71b2c10db93117678a21ebc

SHA256
af8e4e9236a277160a789888ade9f90bf17888dd352f7d89d8161d000eddebc7

SHA512
a548395b0bb9a733eefda4a7e32fad316e5111b47c7767f83eb603f86b9c529f1bcbda8e36089dfd3a60eb68c59e3abd6d61d365454af77a303c4a00ad766a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d00eaf4-bba4-4ff1-bd9c-a56994c187c8.vbs

Filesize
731B

MD5
11a8df8f610f0c8fb4951a1edd27a530

SHA1
f8d69e93092abf6f7c4a620bb33e7641d223464a

SHA256
59db77bffafdcde6670058a4d3e9b4d1a44c3161a418d9c931481e24d8e8a307

SHA512
f7b65b5139d76ec6029ab4b1b1564a4c8e38a2ff63edb88b95aa9f292ab89907c62e4ac43153fe0c8ac39ea602b1b58cbbe6316e13fddc9dd41f82ed0dd4c321

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0899e859a43fa74e8f285a21287de5ba

SHA1
d6f795d789a2597c35d1a0c1c2cfa236b525ae5a

SHA256
0f9386844438047c3cbc718cf9fdde676dde2ddff20e7cc887f3ae674ce41d5a

SHA512
a052b7551939b8a99651b5dc158d8000b707a172fc24d0289c334fd7b55c1fe15ae6ec224ea3f7dbe0e15778f3906863bbcae4ebe9e7b643b5ba345aa61b9eeb

Download Submit
C:\Users\Public\Downloads\csrss.exe

Filesize
1.1MB

MD5
b30a9561ada2deff9876884432f6ea6c

SHA1
e58682ebc72d478766685b2378b3b44937b6ca3d

SHA256
a04e1370513cdec136b8b0128296bc57da002afed5098422cee8c8d370c91b48

SHA512
411667165c91fe76cf57425ea19410f0872c1ce82a14a4f2b2fdca48056bcee141e4de67108142cdc5cc89ace17135f697abe6b022e29fab34f78cf2e27c2670

Download Submit
C:\Windows\Resources\dwm.exe

Filesize
1.1MB

MD5
470ee5f04925a292460c14e66a06d17f

SHA1
431720b43a68f41e5cd525b125bec856cb41512f

SHA256
2070333ec8bb01f64802e15fc563ee1e878412d5704943df3c18b9388cbc576b

SHA512
1eb7b493a47ac44852dd0c8b7da6215827430255399d6ebf875f9a70c4626f93aafc19c1d74dffd9bbf7a93fc2b5d0b9a2af10e7c4552341a6e51659d14a11fe

Download Submit
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\sppsvc.exe

Filesize
1.1MB

MD5
a5b719c0b4679ff9c2567796ceb8a084

SHA1
f047d290fbf1b2016802645b4cbfbcc86e7a09ba

SHA256
9ff87c8177ffef410eaabba9741830ab032327bf1324284080a0e70e38e6b593

SHA512
35a9654233e659c80876fba79232fe51bfe200842a7609f5b56f7c5729b03f1985a3d59e008defc06ae4d4ec53ec22fd4ba7d85a3098d32936ca3df93ac53b4b

Download Submit
memory/2100-328-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2100-333-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2556-308-0x00000000002C0000-0x00000000003EC000-memory.dmp

Filesize
1.2MB

Download
memory/2556-309-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/2580-23-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-20-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-306-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-26-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-27-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2580-28-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2580-29-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2580-30-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2580-31-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2580-32-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/2580-33-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2580-34-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/2580-35-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2580-36-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/2580-37-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2580-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-14-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-24-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-187-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-211-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2580-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2616-345-0x0000000000030000-0x000000000015C000-memory.dmp

Filesize
1.2MB

Download
memory/2640-3-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2640-6-0x00000000054B0000-0x00000000055A6000-memory.dmp

Filesize
984KB

Download
memory/2640-25-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-5-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-4-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/2640-0-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/2640-2-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-7-0x0000000005D20000-0x0000000005E4E000-memory.dmp

Filesize
1.2MB

Download
memory/2640-1-0x0000000000E70000-0x0000000000F9C000-memory.dmp

Filesize
1.2MB

Download
memory/2980-358-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2980-360-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2980-355-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download