dcrat | 95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Size

1.7MB
MD5

274dfd128512553bde18a7d5e63afcf1
SHA1

3579d08a2a108e03cda8a8439380896106e998d9
SHA256

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e
SHA512

6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvQ:OTHUxUoh1IF9gl2x

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2716	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2716	schtasks.exe	28

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1860-1-0x0000000000B70000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d11-27.dat	dcrat
behavioral1/files/0x0007000000019494-66.dat	dcrat
behavioral1/files/0x000a000000014cde-100.dat	dcrat
behavioral1/files/0x0011000000016d11-170.dat	dcrat
behavioral1/memory/1492-186-0x00000000009D0000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/2884-251-0x0000000000FF0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/556-264-0x0000000001100000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2404-276-0x0000000000330000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2908-288-0x0000000001330000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2328-300-0x0000000000100000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2528-312-0x0000000000910000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/1992-324-0x0000000000FB0000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/720-347-0x0000000001130000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
1620	powershell.exe
3040	powershell.exe
2280	powershell.exe
2316	powershell.exe
1588	powershell.exe
2772	powershell.exe
2964	powershell.exe
3044	powershell.exe
2752	powershell.exe
1668	powershell.exe
2292	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Executes dropped EXE 10 IoCs

pid	Process
1492	csrss.exe
2884	csrss.exe
556	csrss.exe
2404	csrss.exe
2908	csrss.exe
2328	csrss.exe
2528	csrss.exe
1992	csrss.exe
1632	csrss.exe
720	csrss.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCX6B7B.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\wininit.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\56085415360792	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX6909.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCX6B0D.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\6203df4a6bafc7	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\wininit.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX6908.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\7a0fd90576e088	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\ShellNew\RCX7188.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\ShellNew\RCX7189.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\ShellNew\explorer.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\ShellNew\explorer.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
828	schtasks.exe
2832	schtasks.exe
2400	schtasks.exe
2872	schtasks.exe
2216	schtasks.exe
2888	schtasks.exe
1340	schtasks.exe
2564	schtasks.exe
1868	schtasks.exe
2828	schtasks.exe
1796	schtasks.exe
3000	schtasks.exe
1028	schtasks.exe
2660	schtasks.exe
1256	schtasks.exe
1932	schtasks.exe
852	schtasks.exe
2764	schtasks.exe
552	schtasks.exe
1572	schtasks.exe
2500	schtasks.exe
2460	schtasks.exe
664	schtasks.exe
1192	schtasks.exe
596	schtasks.exe
1540	schtasks.exe
1776	schtasks.exe
1664	schtasks.exe
572	schtasks.exe
292	schtasks.exe
1812	schtasks.exe
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1588	powershell.exe
1620	powershell.exe
2752	powershell.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
2772	powershell.exe
2964	powershell.exe
1492	csrss.exe
1492	csrss.exe
3044	powershell.exe
2292	powershell.exe
3040	powershell.exe
2112	powershell.exe
2280	powershell.exe
1492	csrss.exe
1668	powershell.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe
1492	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1492	csrss.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2884	csrss.exe
Token: SeDebugPrivilege	556	csrss.exe
Token: SeDebugPrivilege	2404	csrss.exe
Token: SeDebugPrivilege	2908	csrss.exe
Token: SeDebugPrivilege	2328	csrss.exe
Token: SeDebugPrivilege	2528	csrss.exe
Token: SeDebugPrivilege	1992	csrss.exe
Token: SeDebugPrivilege	1632	csrss.exe
Token: SeDebugPrivilege	720	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2316	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	62
PID 1860 wrote to memory of 2316	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	62
PID 1860 wrote to memory of 2316	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	62
PID 1860 wrote to memory of 1588	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	63
PID 1860 wrote to memory of 1588	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	63
PID 1860 wrote to memory of 1588	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	63
PID 1860 wrote to memory of 2772	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	65
PID 1860 wrote to memory of 2772	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	65
PID 1860 wrote to memory of 2772	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	65
PID 1860 wrote to memory of 1620	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	66
PID 1860 wrote to memory of 1620	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	66
PID 1860 wrote to memory of 1620	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	66
PID 1860 wrote to memory of 2292	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	67
PID 1860 wrote to memory of 2292	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	67
PID 1860 wrote to memory of 2292	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	67
PID 1860 wrote to memory of 3044	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	68
PID 1860 wrote to memory of 3044	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	68
PID 1860 wrote to memory of 3044	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	68
PID 1860 wrote to memory of 2964	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	69
PID 1860 wrote to memory of 2964	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	69
PID 1860 wrote to memory of 2964	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	69
PID 1860 wrote to memory of 1668	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	70
PID 1860 wrote to memory of 1668	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	70
PID 1860 wrote to memory of 1668	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	70
PID 1860 wrote to memory of 3040	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	72
PID 1860 wrote to memory of 3040	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	72
PID 1860 wrote to memory of 3040	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	72
PID 1860 wrote to memory of 2752	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	74
PID 1860 wrote to memory of 2752	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	74
PID 1860 wrote to memory of 2752	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	74
PID 1860 wrote to memory of 2280	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	77
PID 1860 wrote to memory of 2280	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	77
PID 1860 wrote to memory of 2280	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	77
PID 1860 wrote to memory of 2112	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	79
PID 1860 wrote to memory of 2112	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	79
PID 1860 wrote to memory of 2112	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	79
PID 1860 wrote to memory of 1492	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	83
PID 1860 wrote to memory of 1492	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	83
PID 1860 wrote to memory of 1492	1860	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	83
PID 1492 wrote to memory of 1240	1492	csrss.exe	87
PID 1492 wrote to memory of 1240	1492	csrss.exe	87
PID 1492 wrote to memory of 1240	1492	csrss.exe	87
PID 1492 wrote to memory of 968	1492	csrss.exe	88
PID 1492 wrote to memory of 968	1492	csrss.exe	88
PID 1492 wrote to memory of 968	1492	csrss.exe	88
PID 1240 wrote to memory of 2884	1240	WScript.exe	89
PID 1240 wrote to memory of 2884	1240	WScript.exe	89
PID 1240 wrote to memory of 2884	1240	WScript.exe	89
PID 2884 wrote to memory of 2708	2884	csrss.exe	90
PID 2884 wrote to memory of 2708	2884	csrss.exe	90
PID 2884 wrote to memory of 2708	2884	csrss.exe	90
PID 2884 wrote to memory of 2644	2884	csrss.exe	91
PID 2884 wrote to memory of 2644	2884	csrss.exe	91
PID 2884 wrote to memory of 2644	2884	csrss.exe	91
PID 2708 wrote to memory of 556	2708	WScript.exe	94
PID 2708 wrote to memory of 556	2708	WScript.exe	94
PID 2708 wrote to memory of 556	2708	WScript.exe	94
PID 556 wrote to memory of 772	556	csrss.exe	95
PID 556 wrote to memory of 772	556	csrss.exe	95
PID 556 wrote to memory of 772	556	csrss.exe	95
PID 556 wrote to memory of 2576	556	csrss.exe	96
PID 556 wrote to memory of 2576	556	csrss.exe	96
PID 556 wrote to memory of 2576	556	csrss.exe	96
PID 772 wrote to memory of 2404	772	WScript.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
"C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19e0d0a-ae0d-4bac-b6f8-a15e707aeac5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
      C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7bb407a-6cc9-4646-8a64-aee9c55f5e94.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee242a6-cd09-40d3-b075-7e45a588bcff.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc5fb609-01a4-4d4c-a158-2be48b6ab868.vbs"
        9⤵
        
        PID:2772
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cfd787d-a65f-4430-8073-e5695a73181b.vbs"
        11⤵
        
        PID:868
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529146e8-665b-4e37-ae55-ab22b8f7f712.vbs"
        13⤵
        
        PID:1936
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cf5b788-9d37-4185-8bda-71adf868724c.vbs"
        15⤵
        
        PID:2728
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bd37134-1f5e-411b-acdb-a443b8bfa6b0.vbs"
        17⤵
        
        PID:2648
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b43334-c83c-4493-a78c-a67a19ca0ed2.vbs"
        19⤵
        
        PID:1556
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\766440bb-fbfd-4c30-9ab1-91d476294231.vbs"
        21⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5118eccb-6536-49c1-8159-e9620dafce23.vbs"
        21⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6b21326-d01f-414d-8711-e30716d2e960.vbs"
        19⤵
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e3fb1fc-25d2-4cbf-985d-6a8c5194c2b7.vbs"
        17⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c152459-c114-4854-b548-04aac39b2737.vbs"
        15⤵
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\915b157f-661c-420a-bf5f-e21959326afa.vbs"
        13⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1927a6b-51a4-418c-868b-572a61b3b002.vbs"
        11⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81bec3af-1627-498c-b6f6-5f1c8df20a38.vbs"
        9⤵
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ada20c7b-019d-4215-bc1f-ae8ebaa2cede.vbs"
        7⤵
        
        PID:2576
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f17742-9178-40b5-81fb-92fdb03d146a.vbs"
        5⤵
        
        PID:2644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9863b62a-598a-4e3e-9773-c3b98a665d49.vbs"
    3⤵
    PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e9" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e" /sc ONLOGON /tr "'C:\MSOCache\All Users\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e9" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\ja-JP\wininit.exe

Filesize
1.7MB

MD5
274dfd128512553bde18a7d5e63afcf1

SHA1
3579d08a2a108e03cda8a8439380896106e998d9

SHA256
95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

SHA512
6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a

Download Submit
C:\Program Files\Windows Sidebar\ja-JP\wininit.exe

Filesize
1.7MB

MD5
c1a412e511a2b193234fe81dde5fcbdd

SHA1
a8723a4782377798af03c4ad914199f1777e98c3

SHA256
1dcdefa6dc68655883529ccfd406c86f9b7939b36be1701efb7b46ff71b0034d

SHA512
1f0099c3a6d0c5a9013d565c9f4dd8620d7c9c475448f0a3fe4a572b1ed889da18d3ff51e2679057c552ee389e770c807bcd4b2a097bf80345846ada5cb8a013

Download Submit
C:\ProgramData\Package Cache\taskhost.exe

Filesize
1.7MB

MD5
ee63aee82a4cf5e8613f06a9d278db3f

SHA1
10367136bf502decc394661d3850d2630e25aaa7

SHA256
14549850fb50d266f4d669ded2d731fba2072afe9199c60ef731749475d90d63

SHA512
227da7a861833ba098d5779dc088a9c0b0f1d726ead2f4c32351a788cc6bd65faeb9c7c6b3fc98ec6e53a8df16d8cdae137e8681bc073318ebda6766eb315c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cf5b788-9d37-4185-8bda-71adf868724c.vbs

Filesize
734B

MD5
baa1d1be5eefb44f2365be6336e5ff89

SHA1
04a0b32f4f1577bf638321c1447f0fa53797c54a

SHA256
fcd11f6316545167a5f7521fedf59bc38453d771e321be41c5bb4c2ab9600fe6

SHA512
db529aed0a9f78959364dbc7575aa66f5b771afb14354d8d09c4c46108b62828f7128bff87702d1044605570cf48bd800482ff46ffe87d5c15eb3f178793cedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee242a6-cd09-40d3-b075-7e45a588bcff.vbs

Filesize
733B

MD5
5e49358e9cfde03537a35d2605a7cb65

SHA1
bfd98a1082ef2a99df4468e794de7bbea12fb715

SHA256
7dbc4742d5c3e5f91b656187467b8133206918e1ab9413d16a87f655d62edb62

SHA512
a1767be439fc589950c01c74545216ec37dc5fff946c3fa9e16b683f0c8cc4198da8fbb8aae249f9949d6a589e85b10d76ca3fa3549eb1a413a119341d024946

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cfd787d-a65f-4430-8073-e5695a73181b.vbs

Filesize
734B

MD5
140bdba8702cceeeabea1585014bbb30

SHA1
9d04cf9b203ccf5e908ca2771ff403d6d73a92f0

SHA256
e10c855ac752ba58091716c1b3a66b51fc83463c1dc8499e38143b37c8df34a2

SHA512
2d5cc3054099858dd6dcb1c78af040b6634c5fd1211c7b3e793f7d3d4175eeeda46e25b5ba7aa59807f318b940c8bfb0bd18f8cf787f46b560e13aded9cfef70

Download Submit
C:\Users\Admin\AppData\Local\Temp\529146e8-665b-4e37-ae55-ab22b8f7f712.vbs

Filesize
734B

MD5
ea5024b70963248b269559c24d4322d2

SHA1
78bb8c26db37edb07faa27e2454858b5783e1b40

SHA256
14e08ce7619e786b57fb3483ed0ff549579920758a2e0b6bce3b83e08bfc2a7b

SHA512
7aa1609a6ffd5156eeecbded93191463f43255f39ed681f56f4762d93a3e12ad3ae29389e3f7c660142f4a05f93c6bb5c28aa6de32fb38e43157232f1a692696

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bd37134-1f5e-411b-acdb-a443b8bfa6b0.vbs

Filesize
734B

MD5
2d9a3cb43d00f341531f7366dedfde03

SHA1
6634a296b85c0e9f5518e4386e8ad4c5f7895ba5

SHA256
ef50df5d43bd8654c49622a3953a4b74f14e7d1bc473322d1dd938331f12b79c

SHA512
b4fae04ae61ad1b8f293ec81ad2b131f77cc5c243752f008652b743a40adc4184d1dc2cc36a9a3e0bea30a9c20c793c8e9aa035818e8822d8e99c971e52a4de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\766440bb-fbfd-4c30-9ab1-91d476294231.vbs

Filesize
733B

MD5
51f8f3067b6ccac9c732305b2ae40cf1

SHA1
eea0ea42a9820f3253c93f696693dc5d5585b348

SHA256
956442f949328c400a2c4d379c20a408ac4e9ca7a15745754b610623902dc7a3

SHA512
3da2682644ea1214332c3d086cf086e339aa039c55ffff7017fa109de29001bfa5babafb5ac43eedbfa5c3907ed35a7bb1cdde747850cf5878a7e8cf017640b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9863b62a-598a-4e3e-9773-c3b98a665d49.vbs

Filesize
510B

MD5
3d93c4d829f3ffb49226d690db14202d

SHA1
9dd74fdfd4201b86c332a9ef1d8a87ca28e1dd21

SHA256
eb0c329bc73f354647e836b3ee47f5e2434c1e48cf6217e79e6b16c0309496e9

SHA512
88b1b8a426110909f165e6768543f721725c4c416cb6d978a5862206fe583e009508a6f9585b1b3e89c780066ff2f47fc79c402b974a00c1da7e23699521f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc5fb609-01a4-4d4c-a158-2be48b6ab868.vbs

Filesize
734B

MD5
26fd8a9bfaa6b6323bac9b0926e1883f

SHA1
6ae76970abe3417947a461fb1dd89346d0256ec2

SHA256
2a0242d21ac1420380036cb2746d8bc857d14b7fe3bf5e639da661e31bd14c1a

SHA512
46bfd0ecdcb2dd6cc89d5440935bb88c538ab281f7c1bbfd7d1ebbec26a6c9237d50efe9181a76bf02f6eaf32e20116a6db531f931811c770b6505595cc21d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0b43334-c83c-4493-a78c-a67a19ca0ed2.vbs

Filesize
734B

MD5
0b875c43c90edb455ecfc058138f4623

SHA1
08aa307fd918f1c6b64965ae1697be7f2d74def3

SHA256
2ff6d665090189a6a6def3790ce2882b16a9d412a90062c53bae4c479857ad84

SHA512
40c55945b3e68bfdb663822fccda91ffbf18b02c4a987f1c06b4fd863957f09a16e90850fff0112e6a159a7b082dc330d74a84461f885f0503be68a1c52af32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e19e0d0a-ae0d-4bac-b6f8-a15e707aeac5.vbs

Filesize
734B

MD5
11078d53ba4ee54e4429d8b718a8bfc7

SHA1
c2a3c8987c29c041c6ce4f8d1ff4db889e27bef1

SHA256
4f20a642f5b99069cf98e38bf3863a9ba4518f88a0d7e29310372418457fd3ba

SHA512
0257f8c84c43ddc0979973d9c85278f2c672526428a07adbf8234046abaa913b29e1046dd4abfe13265405b26ec85472778ea496dbc4bd0b59286274834beae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7bb407a-6cc9-4646-8a64-aee9c55f5e94.vbs

Filesize
734B

MD5
0c45e653c8eac192403014b225981ab7

SHA1
e9df41e8d9dac694b4f544d965d73d34be068579

SHA256
11a5a27f68a6a05010e1f42853d07d64878eacaa45d680f8db1827a80b5036a5

SHA512
7d5d584eb534f950e2c5e4b70eefe82bca8f29054692387e7c44ec1bb401e528ec4ba11e8602791e8f2409c9bd3d77a4853c393bd2cf7db5fc2474efedec1970

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\csrss.exe

Filesize
1.7MB

MD5
73e5b85c629d3d2b0ae4d158b7c882c7

SHA1
4e9d52498c7ba6e587c8ae7392d53c79aa8e81dd

SHA256
e5413af04e58bc3ec9d47cd0421daa736e7bc4ac60049a9ad0b73242c5329a82

SHA512
aedcaf056d75c0629d07ad842ecb28d1994f9424d953ec18aef84e52fa82ccfd312bb6b1210ad99f129a7ed955e913ca50003b67f3b79dadd8868ba6629d7a83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z1A3I1AUZUPAPS1P3OH4.temp

Filesize
7KB

MD5
1a6682d48c49504ea1d867042a3abc30

SHA1
a9834f89a27e5091cd09ec0f47bfc065771ae067

SHA256
5b19b3bf7e42d749934ba0f2a211e71aec0eaed6550d19b98acac65fc6890419

SHA512
1e526a60bd6e9d15e6b4c2ce696f649c6fbb51ad2cb490ec1f5d52a52e337f7fcad1f02f2f7ac71cde32230774c47529ec73ad3ff2791cb994430d4c5e71d09e

Download Submit
memory/556-264-0x0000000001100000-0x00000000012C0000-memory.dmp

Filesize
1.8MB

Download
memory/720-347-0x0000000001130000-0x00000000012F0000-memory.dmp

Filesize
1.8MB

Download
memory/1492-186-0x00000000009D0000-0x0000000000B90000-memory.dmp

Filesize
1.8MB

Download
memory/1492-198-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/1588-185-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1588-187-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1860-12-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/1860-9-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1860-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/1860-188-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-17-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/1860-15-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/1860-1-0x0000000000B70000-0x0000000000D30000-memory.dmp

Filesize
1.8MB

Download
memory/1860-13-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/1860-14-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/1860-2-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-3-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/1860-19-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-11-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/1860-16-0x0000000002190000-0x000000000219C000-memory.dmp

Filesize
48KB

Download
memory/1860-4-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1860-8-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/1860-5-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1860-7-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/1860-6-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/1992-324-0x0000000000FB0000-0x0000000001170000-memory.dmp

Filesize
1.8MB

Download
memory/2316-211-0x000007FEEB790000-0x000007FEEC12D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-300-0x0000000000100000-0x00000000002C0000-memory.dmp

Filesize
1.8MB

Download
memory/2404-276-0x0000000000330000-0x00000000004F0000-memory.dmp

Filesize
1.8MB

Download
memory/2528-312-0x0000000000910000-0x0000000000AD0000-memory.dmp

Filesize
1.8MB

Download
memory/2884-252-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/2884-251-0x0000000000FF0000-0x00000000011B0000-memory.dmp

Filesize
1.8MB

Download
memory/2908-288-0x0000000001330000-0x00000000014F0000-memory.dmp

Filesize
1.8MB

Download