dcrat | 96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9

Analysis

max time kernel
83s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Size

1.1MB
MD5

b1294cc7620c4edf880ebd0410dc8f40
SHA1

e557586de113cb682b6cc5230e81a784e1a9935c
SHA256

96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9
SHA512

bab9a94d9a246c6f7411ef95d4727ca9b7237f4f5378d3c2a6cb6b75cf01339765589ab573594b61d63b9bd22873c430ce8821aed529647795726534977dba5f
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2916	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2600-16-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2600-20-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2600-18-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2600-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2600-10-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
548	powershell.exe
2140	powershell.exe
784	powershell.exe
3008	powershell.exe
700	powershell.exe
1636	powershell.exe
604	powershell.exe
1676	powershell.exe
2032	powershell.exe
2792	powershell.exe
772	powershell.exe
1488	powershell.exe
2192	powershell.exe
3000	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1924	wininit.exe
968	wininit.exe
2504	wininit.exe
2988	wininit.exe
1964	wininit.exe
2520	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\b75386f1303e64	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\RCX6E46.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX74C1.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files\Windows Journal\es-ES\c5b4cb5e9653cc	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files\Windows Media Player\Skins\1610b97d3ab4a7	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\RCX6E45.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\services.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX752F.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCX7734.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files\Windows Journal\es-ES\services.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files\Windows Media Player\Skins\OSPPSVC.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX7B3D.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX7B3E.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCX7733.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\OSPPSVC.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Media\Sonata\wininit.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\Media\Sonata\56085415360792	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Media\Sonata\RCX704A.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Media\Sonata\RCX704B.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Media\Sonata\wininit.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
908	schtasks.exe
2148	schtasks.exe
1656	schtasks.exe
2992	schtasks.exe
1916	schtasks.exe
2496	schtasks.exe
2084	schtasks.exe
1756	schtasks.exe
2208	schtasks.exe
272	schtasks.exe
1996	schtasks.exe
2176	schtasks.exe
2168	schtasks.exe
2204	schtasks.exe
1844	schtasks.exe
1056	schtasks.exe
2236	schtasks.exe
2028	schtasks.exe
1772	schtasks.exe
640	schtasks.exe
444	schtasks.exe
264	schtasks.exe
2876	schtasks.exe
1676	schtasks.exe
1396	schtasks.exe
1736	schtasks.exe
1500	schtasks.exe
1104	schtasks.exe
2328	schtasks.exe
1768	schtasks.exe
2520	schtasks.exe
1356	schtasks.exe
2128	schtasks.exe
2308	schtasks.exe
2452	schtasks.exe
2596	schtasks.exe
2376	schtasks.exe
2616	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1676	powershell.exe
604	powershell.exe
772	powershell.exe
3008	powershell.exe
1488	powershell.exe
2192	powershell.exe
1636	powershell.exe
784	powershell.exe
2032	powershell.exe
3000	powershell.exe
548	powershell.exe
2140	powershell.exe
700	powershell.exe
2792	powershell.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe
1924	wininit.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Token: SeDebugPrivilege	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1924	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1424	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	31
PID 2664 wrote to memory of 1424	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	31
PID 2664 wrote to memory of 1424	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	31
PID 2664 wrote to memory of 1424	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	31
PID 2664 wrote to memory of 2696	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	32
PID 2664 wrote to memory of 2696	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	32
PID 2664 wrote to memory of 2696	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	32
PID 2664 wrote to memory of 2696	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	32
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2664 wrote to memory of 2600	2664	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	33
PID 2600 wrote to memory of 2792	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	74
PID 2600 wrote to memory of 2792	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	74
PID 2600 wrote to memory of 2792	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	74
PID 2600 wrote to memory of 2792	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	74
PID 2600 wrote to memory of 3008	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	75
PID 2600 wrote to memory of 3008	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	75
PID 2600 wrote to memory of 3008	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	75
PID 2600 wrote to memory of 3008	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	75
PID 2600 wrote to memory of 548	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	77
PID 2600 wrote to memory of 548	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	77
PID 2600 wrote to memory of 548	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	77
PID 2600 wrote to memory of 548	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	77
PID 2600 wrote to memory of 772	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	78
PID 2600 wrote to memory of 772	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	78
PID 2600 wrote to memory of 772	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	78
PID 2600 wrote to memory of 772	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	78
PID 2600 wrote to memory of 2192	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	82
PID 2600 wrote to memory of 2192	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	82
PID 2600 wrote to memory of 2192	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	82
PID 2600 wrote to memory of 2192	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	82
PID 2600 wrote to memory of 1488	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	83
PID 2600 wrote to memory of 1488	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	83
PID 2600 wrote to memory of 1488	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	83
PID 2600 wrote to memory of 1488	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	83
PID 2600 wrote to memory of 604	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	84
PID 2600 wrote to memory of 604	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	84
PID 2600 wrote to memory of 604	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	84
PID 2600 wrote to memory of 604	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	84
PID 2600 wrote to memory of 2140	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	85
PID 2600 wrote to memory of 2140	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	85
PID 2600 wrote to memory of 2140	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	85
PID 2600 wrote to memory of 2140	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	85
PID 2600 wrote to memory of 3000	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	86
PID 2600 wrote to memory of 3000	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	86
PID 2600 wrote to memory of 3000	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	86
PID 2600 wrote to memory of 3000	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	86
PID 2600 wrote to memory of 1676	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	87
PID 2600 wrote to memory of 1676	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	87
PID 2600 wrote to memory of 1676	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	87
PID 2600 wrote to memory of 1676	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	87
PID 2600 wrote to memory of 2032	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	91
PID 2600 wrote to memory of 2032	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	91
PID 2600 wrote to memory of 2032	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	91
PID 2600 wrote to memory of 2032	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	91
PID 2600 wrote to memory of 700	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	92
PID 2600 wrote to memory of 700	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	92
PID 2600 wrote to memory of 700	2600	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
"C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
  "{path}"
  2⤵
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
  "{path}"
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Sonata\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\OSPPSVC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\Media\Sonata\wininit.exe
    "C:\Windows\Media\Sonata\wininit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
  - - C:\Windows\Media\Sonata\wininit.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:968
  - - C:\Windows\Media\Sonata\wininit.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:2504
  - - C:\Windows\Media\Sonata\wininit.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:2988
  - - C:\Windows\Media\Sonata\wininit.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1964
  - - C:\Windows\Media\Sonata\wininit.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Sonata\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Sonata\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Skins\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Skins\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N9" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N9" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RCX72BD.tmp

Filesize
1.1MB

MD5
bb46c145ce366914c23455eb035bf347

SHA1
0420fa496b26f344b93a7b766ff8156c964c3afe

SHA256
6ea0e353256705581526c64a9853cf755086adc34463edeefac7f54004e94829

SHA512
19474d4d5ed14355a9404ed1a260fef2eff9c809ea3aa8af6d496f1fab52a1ccfcb08437a9cb3ad562a9631b862a4778d7a2bf1c5a5d9ace24acdfa393fc136c

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\taskhost.exe

Filesize
1.1MB

MD5
4d9b351d0e6a88c851cb2409c1619bbc

SHA1
60134e737423189bf9665a40ef3a853767e4f0e2

SHA256
48863294c86022250094b6356aa93a3eef0f868417d6cfb6c964907de03130d2

SHA512
851eec4997a00d2798e01de48e5a9ac1f8b858390086aedff6a62a210571f22242beb8f1ec5a701ad9217aabec7b568176a90fa871096012656c2865b7283c66

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe

Filesize
1.1MB

MD5
2e647d48ea5bb8bf1ab1f4e2540de143

SHA1
d766af98542a6673b57ce72b72591b274139915c

SHA256
f1af282981d176af3f89e9a5e4fb93c0c1c9dbcf9e3beafca0b6d23456c03edb

SHA512
cab322ba277ac2b4a2c40802869174fef5397b373985fe52117ffe908b6c6b84fa1bdd751a5fe55f6124b7fa8a7ca46ae04453130de5b8a2eb8d2456c8a870d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
876ba698623bd2e1584b48a8765ffbca

SHA1
9fd7cc51d35a135a860110f98869ce514976cc54

SHA256
87117537da5a1e815f8cdf7a3c933e5901bcd69e5f60edcd720f4f7b908c3eb0

SHA512
c150b6f9c84b936125d943c9c1a5801cee622a3244c6547c55491b01bd1b5fda98fe05d90b044b0d46905a3902ca22024a0da69547f584a4cd755e3258508026

Download Submit
C:\Users\Default\explorer.exe

Filesize
1.1MB

MD5
38b3834c049f9a1b4c4b40cff14d0c19

SHA1
2253240d3b6dd037edf93c4605dbc9c0eb9a1fa3

SHA256
6d2b0615a0dfc2582ae781f31323a69b8769a774a7863ccefdb957698ba371ec

SHA512
b2cc3ba3aff81082cd5884503c08388fba91167d8f3b50b07e6fc4ab642fbeb3799161f25acb2e658e1b7e6b5b96631a3acbf35304e303f44f2e5fcfcac61f09

Download Submit
C:\Windows\Media\Sonata\wininit.exe

Filesize
1.1MB

MD5
b1294cc7620c4edf880ebd0410dc8f40

SHA1
e557586de113cb682b6cc5230e81a784e1a9935c

SHA256
96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9

SHA512
bab9a94d9a246c6f7411ef95d4727ca9b7237f4f5378d3c2a6cb6b75cf01339765589ab573594b61d63b9bd22873c430ce8821aed529647795726534977dba5f

Download Submit
memory/1924-272-0x00000000001C0000-0x00000000002EC000-memory.dmp

Filesize
1.2MB

Download
memory/1924-274-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2600-16-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-24-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2600-273-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-20-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-21-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-23-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-193-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-25-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2600-26-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2600-27-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2600-28-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2600-29-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2600-30-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2600-31-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/2600-32-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/2600-33-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/2600-34-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2600-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-205-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-22-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-5-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-4-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2664-6-0x00000000058D0000-0x00000000059C6000-memory.dmp

Filesize
984KB

Download
memory/2664-7-0x0000000005F60000-0x000000000608E000-memory.dmp

Filesize
1.2MB

Download
memory/2664-3-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2664-2-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x0000000000F50000-0x000000000107C000-memory.dmp

Filesize
1.2MB

Download