dcrat | 7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
Size

1.7MB
MD5

688dfbd7ae580d677742065afa2f2991
SHA1

9742697e260249d2380b8199856b030057670cd1
SHA256

7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750
SHA512

afc474710e071db0caf4d3fd89beddb2a5d6bbfa9e6b93fcd059a33191e66db9bb0b4f4fe0ac4baf5451936c0269a5b8b05355f2076f300bdf852b8a3fb32144
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2736	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2380-1-0x0000000000CD0000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/files/0x000500000001925e-27.dat	dcrat
behavioral1/files/0x000500000001a03d-56.dat	dcrat
behavioral1/files/0x0009000000016d68-78.dat	dcrat
behavioral1/files/0x00080000000173a7-90.dat	dcrat
behavioral1/files/0x000b0000000173a7-112.dat	dcrat
behavioral1/memory/1584-255-0x0000000000F20000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2444-267-0x00000000000B0000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/1816-280-0x0000000000880000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2200-293-0x0000000001040000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/1588-305-0x0000000000060000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2540-317-0x0000000001380000-0x0000000001540000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe
2840	powershell.exe
1512	powershell.exe
1256	powershell.exe
1684	powershell.exe
1480	powershell.exe
2740	powershell.exe
1808	powershell.exe
1140	powershell.exe
1648	powershell.exe
1624	powershell.exe
272	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Executes dropped EXE 9 IoCs

pid	Process
1584	wininit.exe
2444	wininit.exe
1816	wininit.exe
2200	wininit.exe
1588	wininit.exe
2540	wininit.exe
2232	wininit.exe
2936	wininit.exe
2136	wininit.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXE742.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXE743.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\sppsvc.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXE946.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows Mail\fr-FR\0a1fd5f707cd16	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows Sidebar\1610b97d3ab4a7	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXDE26.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXE947.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Internet Explorer\lsass.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\886983d96e3d3e	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows Sidebar\OSPPSVC.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXF030.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXF2A1.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Internet Explorer\lsass.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Sidebar\OSPPSVC.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXF02F.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXF2A2.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\1610b97d3ab4a7	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows Mail\fr-FR\sppsvc.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Internet Explorer\6203df4a6bafc7	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXDDB8.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\es-ES\taskhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\RCXE098.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\inf\de-DE\RCXEBB8.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\inf\de-DE\RCXEBB9.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\inf\de-DE\dwm.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\PolicyDefinitions\es-ES\b75386f1303e64	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\inf\de-DE\dwm.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\inf\de-DE\6cb0b6c459d5d3	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\RCXE02A.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\taskhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1884	schtasks.exe
1620	schtasks.exe
2808	schtasks.exe
1688	schtasks.exe
2784	schtasks.exe
2500	schtasks.exe
2236	schtasks.exe
2540	schtasks.exe
1664	schtasks.exe
1132	schtasks.exe
1196	schtasks.exe
1692	schtasks.exe
2676	schtasks.exe
1800	schtasks.exe
2384	schtasks.exe
1568	schtasks.exe
2828	schtasks.exe
2300	schtasks.exe
840	schtasks.exe
2312	schtasks.exe
2884	schtasks.exe
3056	schtasks.exe
2644	schtasks.exe
2720	schtasks.exe
1144	schtasks.exe
764	schtasks.exe
1852	schtasks.exe
1316	schtasks.exe
2708	schtasks.exe
848	schtasks.exe
2876	schtasks.exe
2788	schtasks.exe
2316	schtasks.exe
1564	schtasks.exe
2608	schtasks.exe
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
1512	powershell.exe
2740	powershell.exe
1480	powershell.exe
2840	powershell.exe
2212	powershell.exe
272	powershell.exe
1140	powershell.exe
1256	powershell.exe
1624	powershell.exe
1808	powershell.exe
1648	powershell.exe
1684	powershell.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe
1584	wininit.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1584	wininit.exe
Token: SeDebugPrivilege	2444	wininit.exe
Token: SeDebugPrivilege	1816	wininit.exe
Token: SeDebugPrivilege	2200	wininit.exe
Token: SeDebugPrivilege	1588	wininit.exe
Token: SeDebugPrivilege	2540	wininit.exe
Token: SeDebugPrivilege	2232	wininit.exe
Token: SeDebugPrivilege	2936	wininit.exe
Token: SeDebugPrivilege	2136	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2212	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	68
PID 2380 wrote to memory of 2212	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	68
PID 2380 wrote to memory of 2212	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	68
PID 2380 wrote to memory of 2840	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	69
PID 2380 wrote to memory of 2840	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	69
PID 2380 wrote to memory of 2840	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	69
PID 2380 wrote to memory of 1512	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	71
PID 2380 wrote to memory of 1512	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	71
PID 2380 wrote to memory of 1512	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	71
PID 2380 wrote to memory of 272	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	72
PID 2380 wrote to memory of 272	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	72
PID 2380 wrote to memory of 272	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	72
PID 2380 wrote to memory of 1648	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	74
PID 2380 wrote to memory of 1648	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	74
PID 2380 wrote to memory of 1648	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	74
PID 2380 wrote to memory of 1624	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	76
PID 2380 wrote to memory of 1624	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	76
PID 2380 wrote to memory of 1624	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	76
PID 2380 wrote to memory of 1256	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	77
PID 2380 wrote to memory of 1256	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	77
PID 2380 wrote to memory of 1256	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	77
PID 2380 wrote to memory of 1684	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	78
PID 2380 wrote to memory of 1684	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	78
PID 2380 wrote to memory of 1684	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	78
PID 2380 wrote to memory of 1480	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	79
PID 2380 wrote to memory of 1480	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	79
PID 2380 wrote to memory of 1480	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	79
PID 2380 wrote to memory of 1140	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	80
PID 2380 wrote to memory of 1140	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	80
PID 2380 wrote to memory of 1140	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	80
PID 2380 wrote to memory of 2740	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	81
PID 2380 wrote to memory of 2740	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	81
PID 2380 wrote to memory of 2740	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	81
PID 2380 wrote to memory of 1808	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	82
PID 2380 wrote to memory of 1808	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	82
PID 2380 wrote to memory of 1808	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	82
PID 2380 wrote to memory of 1332	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	86
PID 2380 wrote to memory of 1332	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	86
PID 2380 wrote to memory of 1332	2380	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	86
PID 1332 wrote to memory of 908	1332	cmd.exe	94
PID 1332 wrote to memory of 908	1332	cmd.exe	94
PID 1332 wrote to memory of 908	1332	cmd.exe	94
PID 1332 wrote to memory of 1584	1332	cmd.exe	95
PID 1332 wrote to memory of 1584	1332	cmd.exe	95
PID 1332 wrote to memory of 1584	1332	cmd.exe	95
PID 1584 wrote to memory of 2880	1584	wininit.exe	96
PID 1584 wrote to memory of 2880	1584	wininit.exe	96
PID 1584 wrote to memory of 2880	1584	wininit.exe	96
PID 1584 wrote to memory of 1248	1584	wininit.exe	97
PID 1584 wrote to memory of 1248	1584	wininit.exe	97
PID 1584 wrote to memory of 1248	1584	wininit.exe	97
PID 2880 wrote to memory of 2444	2880	WScript.exe	98
PID 2880 wrote to memory of 2444	2880	WScript.exe	98
PID 2880 wrote to memory of 2444	2880	WScript.exe	98
PID 2444 wrote to memory of 2896	2444	wininit.exe	99
PID 2444 wrote to memory of 2896	2444	wininit.exe	99
PID 2444 wrote to memory of 2896	2444	wininit.exe	99
PID 2444 wrote to memory of 936	2444	wininit.exe	100
PID 2444 wrote to memory of 936	2444	wininit.exe	100
PID 2444 wrote to memory of 936	2444	wininit.exe	100
PID 2896 wrote to memory of 1816	2896	WScript.exe	101
PID 2896 wrote to memory of 1816	2896	WScript.exe	101
PID 2896 wrote to memory of 1816	2896	WScript.exe	101
PID 1816 wrote to memory of 2440	1816	wininit.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
"C:\Users\Admin\AppData\Local\Temp\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:908
- - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c62b76-0c3f-4c29-95cf-9dc2fbe167df.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123f3c7c-3c70-41c4-85bf-cd943881a66c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc49b037-4f41-4c34-85bb-10d1e407554d.vbs"
        8⤵
        
        PID:2440
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ead803-4fd6-41f7-9cf4-8984467008e8.vbs"
        10⤵
        
        PID:800
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f00120e8-7d22-419d-b682-ac5361ed1c1f.vbs"
        12⤵
        
        PID:2592
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16056ace-3a2f-4b8b-9a8d-7f82bce67d8a.vbs"
        14⤵
        
        PID:2796
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87abca72-d842-45b7-b7ce-c84f4c463335.vbs"
        16⤵
        
        PID:956
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3867d78d-aa83-47c0-b554-6b1db34cb51e.vbs"
        18⤵
        
        PID:2956
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2388d1c-ea1a-4869-9a08-770191bae8f0.vbs"
        20⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ff32303-53ad-497e-9e2c-4692b5c15b27.vbs"
        20⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acbfe347-401d-4dd4-826b-8cac1be423fe.vbs"
        18⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e3328a3-c0ad-4a9d-a7aa-99f3b79c4d7d.vbs"
        16⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eeabcd2-caf6-4739-b72c-c2c5f4b5e357.vbs"
        14⤵
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a017394e-07f5-4dc4-9353-17a0a6f29434.vbs"
        12⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1652c245-0db3-4428-a288-6c1af231ba0c.vbs"
        10⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e0e84a-d439-46b6-bf00-6ffdf5dc9a6c.vbs"
        8⤵
        
        PID:1932
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\022d6d95-aaf1-438b-b03b-f39520435dde.vbs"
        6⤵
        
        PID:936
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\006362c6-1a87-444c-a101-280d0549c5b2.vbs"
      4⤵
      PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b7507" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b7507" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe

Filesize
1.7MB

MD5
8a8725e65ac3904c545e0898de2239ab

SHA1
3f49b63782a57af30dc5a9ac1a7c6d478ba5832a

SHA256
a248b085f1c5d12ef75f84edcb5ca9dd64bfde92e31240d4c793ee808e41ceb3

SHA512
b0e9b3bbdced865c642665c6c757708ce029c751ec5ac2c4d8a6d2884f781fe6e410159ddc7f6d49d0d2d54d4a4e456bb4977193a86426e43ee5dfe175052366

Download Submit
C:\ProgramData\OSPPSVC.exe

Filesize
1.7MB

MD5
75d82195b1f2988d482e29023e5d6df9

SHA1
76c4c95c84f0b29b9ec4b0effeb8fc8d6f69d43e

SHA256
e78cc8ccfb686033acbe098dc55e5e7124964debb183a698b875809ad3e3808a

SHA512
45c624711f3338dc28b107e3726798d9a941e1d9fd026a92e0f29d6e31eff19b7b7cbd6178d13aff950410c90c4a334079995c4cd8af4f060a17ebc4d6d63152

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Filesize
1.7MB

MD5
688dfbd7ae580d677742065afa2f2991

SHA1
9742697e260249d2380b8199856b030057670cd1

SHA256
7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750

SHA512
afc474710e071db0caf4d3fd89beddb2a5d6bbfa9e6b93fcd059a33191e66db9bb0b4f4fe0ac4baf5451936c0269a5b8b05355f2076f300bdf852b8a3fb32144

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe

Filesize
1.7MB

MD5
6ab39c6ad2efaef20e079c38d478358e

SHA1
6425094bb2ec023dbff4231589029cfd0092aadd

SHA256
e65a652677786df8f1659d778c4bb341b53e3603a37d1f943091f550ab6276c1

SHA512
0cf314c5a251363e42a90de7fa796fbc54f0b6ec82158fbe67a67c424954c59a1e830e06cc212b896a343276616b043c284a3da198b28ef7a3444dcb4d779991

Download Submit
C:\Users\Admin\AppData\Local\Temp\006362c6-1a87-444c-a101-280d0549c5b2.vbs

Filesize
526B

MD5
9c5211c930fcff65e0eb374f29263d40

SHA1
552b9e7df76e8be9e66cb8005e1c4db9a562fe5b

SHA256
51fcd4ef0703b306cd3e518d5e94603238dc01dadb039949afaa9c1a90d173ab

SHA512
9894df39b2b6698ab8af1793026ff139446793e57cb1eba9805c8f2b76bcce09cfdc5483a4f828aac77c9e82ae35c72002bf583c2160e604a359a15be9e9f570

Download Submit
C:\Users\Admin\AppData\Local\Temp\123f3c7c-3c70-41c4-85bf-cd943881a66c.vbs

Filesize
750B

MD5
7f5aa3b2dd1df7cea95b31524dce6efd

SHA1
3ca28b73b4a7131b73d04e64dac7c6901e4387f9

SHA256
4f9d7e921871f6723a3fb1753a3ccc97110e10c0af30f5fd572548cc6b808794

SHA512
eda424cecde393c20d1aaff8fb1ca398012b2a59a4d787eab86ce22daee32541893ae937fd53504cc63683bb73d48eeaa5b6f9c0309c4495a305a6b952c71efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\16056ace-3a2f-4b8b-9a8d-7f82bce67d8a.vbs

Filesize
750B

MD5
820bd3ed971e5ce20fc7974cc6bbc25c

SHA1
3f1c64edc23e22798880409719f500497748a00a

SHA256
9701a0f65d4a8176ffd39c101fd58e7998cf9ed5412a29f9553a72a7c0f8b303

SHA512
04d97c1186ec3d5133867a42c739c04d5dfdfcaac618dd86010f5de115504bad7555294c26862c9705fbab94812b8a4c5133e9ae388e452fe2ed285f8708c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\35ead803-4fd6-41f7-9cf4-8984467008e8.vbs

Filesize
750B

MD5
b7af0814a78ee57737543a751d664054

SHA1
a4315e5e221f15541d123470fd8c84367bb5b107

SHA256
3970d8362b97fa58e69f25ef608ffab5c92e1e3ef08e1cf1cb272d26a36b98a8

SHA512
27470a1a7d368991ed4e098caf1d77ff65dabb2e4d73836d0bc2835cdb6c75f6fd287e7f0392f894dfc3bfcab7c2a0084d1dd23eb2706b756c7ea82f81ef7840

Download Submit
C:\Users\Admin\AppData\Local\Temp\3867d78d-aa83-47c0-b554-6b1db34cb51e.vbs

Filesize
750B

MD5
50a40e6032ed78d2a5de6bc4b06ac6fe

SHA1
6c75ac2beef5f3116e78ebfc588b2a3d78640b5c

SHA256
ed29aa6acc5154ac2b156b3ef3bf0c6cf9db244c9eb6ed7f8ee79408422c8e50

SHA512
77f86c4b4a2c2ea7e5bac441683d57a03f6ddb1099ef2929e5521ac89208f0d90c930e6c55bcab74aae179e2740208538047494a723bcaab530f3d6186e59400

Download Submit
C:\Users\Admin\AppData\Local\Temp\87abca72-d842-45b7-b7ce-c84f4c463335.vbs

Filesize
750B

MD5
7f42f00e2f61c3b474228544ba3e59b3

SHA1
f4fb84167dfd30449e30fa05223e38ea4a09e28b

SHA256
957db442a18403415c2f590e2d32a204347097fda9c5ccff62d1dda5af008d69

SHA512
edc12e1f515a0e92844e49430a8da4744f0fde4a3867116d952a3ac8c900a1761a10ef8b77df131b14256621b7cc97ec003894c4cf2152d6e95b848aa82cd34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat

Filesize
239B

MD5
2839ad175d4888eee04d593b82c42525

SHA1
580f163e8e0dac0b87a3c7a5108ce46ef3566b17

SHA256
bd109d19586d420ac945cdcd5fbe2dff7d3637c13da0f0fb37eb8b0f00373893

SHA512
50a864fe00bb5bb2797b39115640ec57fd47935a7ec13497cbead5f09272b98e8d96a419080c025b010eb6f61807b7374278aa41743183bcb955ac850102c81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0c62b76-0c3f-4c29-95cf-9dc2fbe167df.vbs

Filesize
750B

MD5
73922fdb9a5ec011ee1a543ca9bddd3c

SHA1
fb4ad091427e50349cfe54c6178749a44ccfa771

SHA256
4ca5813376a2ac71bf51ab08e37f5f7d77786c726be828d91fd932353d6bf688

SHA512
63fd456a58362a319fab6111e013d5f96345e62f3a68b3893e9ea061369fc984288bea5f67937545f0597187968427c504667539fceea68757a7b5719b34f226

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc49b037-4f41-4c34-85bb-10d1e407554d.vbs

Filesize
750B

MD5
857f71b7731affc598b6a95155cc5137

SHA1
3569128c34e09a44bd4f32910f8486136f67f0bb

SHA256
cef5dab0e24f7814544db6768e6377dda60e79a0d5561a87bee4ecc18ea80e83

SHA512
944be7fdbf389f432ffb96528a2fff90268bae582d4a6dd069d9b53489b8527ee3a033475a651ad36caf5e3f36bd78272d252eb4ae0063573514244a726aa31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f00120e8-7d22-419d-b682-ac5361ed1c1f.vbs

Filesize
750B

MD5
8d13b39f86d972ae6ca406ba91ffc717

SHA1
01c6be9045f5476ad93d288695bfa93da0550217

SHA256
0c8dcfcf842d8e20895ca16ea180a79b08c8e65532216310f35b3d20b9b3c07a

SHA512
d57887378271ee756c95030513bda79043fe50d0510ce5904b1303f0219d1aec3c142711afe4460a40577db3aa516834b822ff43c3e3b477c852da4e70d879ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2388d1c-ea1a-4869-9a08-770191bae8f0.vbs

Filesize
750B

MD5
1243f605f24f1845b5f0358d636f53ce

SHA1
ebbea886f208f9292ab0f18feb1770266c686e63

SHA256
bc71693d53c93a25c1af3eed5f12edcd1d800f2949a48661c9e13e5af88ebd8c

SHA512
5e78e569f2bd48ab50baa482a6f557aead0d0bd4e783e4df79202cc378c4008cc7a915c0d301a0981d7dbda0f3b74ddd07c6ddc4540a4258c3800667f191cf7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
32042a885fd37cc654bf480d6dd3b4e7

SHA1
855223d78d46f1b31863e071b65676220f752cc2

SHA256
f73d5028d24e9dbd255d993cd759b6b9b0d724793436d227990bc8aad9532831

SHA512
034a3d055e3911a832b23fa456222e41583f3c61f3bbf4483f292b4e27fb3fb406125a9de77d3633a9ac04cde466c016686145aec4812bbd7274140e0bb7d7e3

Download Submit
C:\Windows\PolicyDefinitions\es-ES\RCXE098.tmp

Filesize
1.7MB

MD5
f48ced1627ffa7a826b94512009c3e40

SHA1
c735e4963447adc9b420025c0e9e581d92b34be4

SHA256
d6056cc10c115049782b16f56d1a41d5648067ffdcd6b88cb0bce1fb540bc77b

SHA512
f5301c04c572a99f2e5f36c39ac27efbfef71323028c3900177cd0ee6862bca4fed314fcd796ab41570e6a0d6d457303a17c51ccd4629b4de49818fca456c4a2

Download Submit
memory/1512-225-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1584-255-0x0000000000F20000-0x00000000010E0000-memory.dmp

Filesize
1.8MB

Download
memory/1584-256-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1588-305-0x0000000000060000-0x0000000000220000-memory.dmp

Filesize
1.8MB

Download
memory/1816-280-0x0000000000880000-0x0000000000A40000-memory.dmp

Filesize
1.8MB

Download
memory/1816-281-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/2200-293-0x0000000001040000-0x0000000001200000-memory.dmp

Filesize
1.8MB

Download
memory/2232-329-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2380-7-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2380-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000CD0000-0x0000000000E90000-memory.dmp

Filesize
1.8MB

Download
memory/2380-15-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2380-13-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2380-14-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2380-12-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2380-11-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2380-2-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2380-9-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2380-16-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2380-226-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-8-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/2380-17-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2380-20-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-6-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2380-5-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2380-172-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/2444-268-0x000000001A710000-0x000000001A722000-memory.dmp

Filesize
72KB

Download
memory/2444-267-0x00000000000B0000-0x0000000000270000-memory.dmp

Filesize
1.8MB

Download
memory/2540-317-0x0000000001380000-0x0000000001540000-memory.dmp

Filesize
1.8MB

Download
memory/2740-223-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download