dcrat | 5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
Size

1.7MB
MD5

8a0759f7965b2fd0495935ea7ddc0040
SHA1

023336bef59c7ea574d784f201689d63f81045de
SHA256

5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383
SHA512

544222b58f4abce10638aef33670e369caa14749590d0c756b1c48fd9c0dbc4648782b107351982965ddefa23b9a6f1dc6354353bf41c7ecc0903f597f3a8611
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2724	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2884-1-0x0000000000A00000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/files/0x0008000000016cc9-27.dat	dcrat
behavioral1/files/0x000600000001949d-84.dat	dcrat
behavioral1/files/0x000500000001a495-97.dat	dcrat
behavioral1/memory/2972-246-0x0000000000BC0000-0x0000000000D80000-memory.dmp	dcrat
behavioral1/memory/904-326-0x0000000000C90000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/1584-338-0x0000000000090000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1924-350-0x0000000000B00000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/2796-362-0x0000000001130000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/1092-374-0x00000000003E0000-0x00000000005A0000-memory.dmp	dcrat
behavioral1/memory/1940-386-0x0000000001320000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1744	powershell.exe
1828	powershell.exe
976	powershell.exe
1272	powershell.exe
1336	powershell.exe
1548	powershell.exe
2760	powershell.exe
1820	powershell.exe
284	powershell.exe
3044	powershell.exe
1048	powershell.exe
2896	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Executes dropped EXE 7 IoCs

pid	Process
2972	taskhost.exe
2216	taskhost.exe
904	taskhost.exe
1584	taskhost.exe
1924	taskhost.exe
2796	taskhost.exe
1092	taskhost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lt-LT\0a1fd5f707cd16	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\RCX8560.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\RCX8561.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\sppsvc.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\SysWOW64\lt-LT\sppsvc.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Visualizations\System.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX8DA2.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX8DA3.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCX95F4.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX835C.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\taskhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Sidebar\en-US\taskhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Mail\es-ES\c5b4cb5e9653cc	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX898A.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Idle.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Mail\es-ES\services.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Microsoft Office\Idle.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCX7C35.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX93D0.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCX95F3.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Microsoft Office\6ccacd8608530f	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCX7C15.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX8989.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\services.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\System.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Media Player\Visualizations\27d1bcfc3c54e0	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Sidebar\en-US\b75386f1303e64	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX82EE.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX93CF.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\ehome\MCX\Idle.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\inf\RCX91CB.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\inf\cc11b995f2a76d	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\ehome\MCX\Idle.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\inf\winlogon.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\ehome\MCX\6ccacd8608530f	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\LiveKernelReports\taskhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX9A8A.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\LiveKernelReports\taskhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX9A89.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\inf\winlogon.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\LiveKernelReports\b75386f1303e64	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\ehome\MCX\RCX7E39.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\ehome\MCX\RCX7E3A.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\inf\RCX91CC.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
572	schtasks.exe
2436	schtasks.exe
1860	schtasks.exe
2572	schtasks.exe
1640	schtasks.exe
2568	schtasks.exe
2776	schtasks.exe
2644	schtasks.exe
2860	schtasks.exe
912	schtasks.exe
2692	schtasks.exe
2800	schtasks.exe
1852	schtasks.exe
2556	schtasks.exe
1576	schtasks.exe
2280	schtasks.exe
996	schtasks.exe
2616	schtasks.exe
1736	schtasks.exe
2996	schtasks.exe
592	schtasks.exe
2440	schtasks.exe
800	schtasks.exe
1112	schtasks.exe
3068	schtasks.exe
2500	schtasks.exe
1160	schtasks.exe
2224	schtasks.exe
2216	schtasks.exe
1612	schtasks.exe
884	schtasks.exe
2740	schtasks.exe
2056	schtasks.exe
1472	schtasks.exe
1088	schtasks.exe
1344	schtasks.exe
1788	schtasks.exe
2284	schtasks.exe
300	schtasks.exe
2900	schtasks.exe
568	schtasks.exe
3024	schtasks.exe
2264	schtasks.exe
1764	schtasks.exe
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
3044	powershell.exe
1272	powershell.exe
1744	powershell.exe
976	powershell.exe
1336	powershell.exe
2760	powershell.exe
1048	powershell.exe
2896	powershell.exe
284	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2972	taskhost.exe
Token: SeDebugPrivilege	2216	taskhost.exe
Token: SeDebugPrivilege	904	taskhost.exe
Token: SeDebugPrivilege	1584	taskhost.exe
Token: SeDebugPrivilege	1924	taskhost.exe
Token: SeDebugPrivilege	2796	taskhost.exe
Token: SeDebugPrivilege	1092	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1272	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	76
PID 2884 wrote to memory of 1272	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	76
PID 2884 wrote to memory of 1272	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	76
PID 2884 wrote to memory of 976	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	77
PID 2884 wrote to memory of 976	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	77
PID 2884 wrote to memory of 976	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	77
PID 2884 wrote to memory of 1828	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	78
PID 2884 wrote to memory of 1828	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	78
PID 2884 wrote to memory of 1828	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	78
PID 2884 wrote to memory of 1820	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	80
PID 2884 wrote to memory of 1820	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	80
PID 2884 wrote to memory of 1820	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	80
PID 2884 wrote to memory of 1336	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	81
PID 2884 wrote to memory of 1336	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	81
PID 2884 wrote to memory of 1336	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	81
PID 2884 wrote to memory of 1548	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	83
PID 2884 wrote to memory of 1548	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	83
PID 2884 wrote to memory of 1548	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	83
PID 2884 wrote to memory of 2760	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	84
PID 2884 wrote to memory of 2760	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	84
PID 2884 wrote to memory of 2760	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	84
PID 2884 wrote to memory of 1744	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	85
PID 2884 wrote to memory of 1744	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	85
PID 2884 wrote to memory of 1744	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	85
PID 2884 wrote to memory of 284	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	86
PID 2884 wrote to memory of 284	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	86
PID 2884 wrote to memory of 284	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	86
PID 2884 wrote to memory of 3044	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	87
PID 2884 wrote to memory of 3044	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	87
PID 2884 wrote to memory of 3044	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	87
PID 2884 wrote to memory of 1048	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	88
PID 2884 wrote to memory of 1048	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	88
PID 2884 wrote to memory of 1048	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	88
PID 2884 wrote to memory of 2896	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	91
PID 2884 wrote to memory of 2896	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	91
PID 2884 wrote to memory of 2896	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	91
PID 2884 wrote to memory of 2972	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	100
PID 2884 wrote to memory of 2972	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	100
PID 2884 wrote to memory of 2972	2884	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	100
PID 2972 wrote to memory of 1132	2972	taskhost.exe	101
PID 2972 wrote to memory of 1132	2972	taskhost.exe	101
PID 2972 wrote to memory of 1132	2972	taskhost.exe	101
PID 2972 wrote to memory of 2396	2972	taskhost.exe	102
PID 2972 wrote to memory of 2396	2972	taskhost.exe	102
PID 2972 wrote to memory of 2396	2972	taskhost.exe	102
PID 1132 wrote to memory of 2216	1132	WScript.exe	104
PID 1132 wrote to memory of 2216	1132	WScript.exe	104
PID 1132 wrote to memory of 2216	1132	WScript.exe	104
PID 2216 wrote to memory of 1980	2216	taskhost.exe	105
PID 2216 wrote to memory of 1980	2216	taskhost.exe	105
PID 2216 wrote to memory of 1980	2216	taskhost.exe	105
PID 2216 wrote to memory of 316	2216	taskhost.exe	106
PID 2216 wrote to memory of 316	2216	taskhost.exe	106
PID 2216 wrote to memory of 316	2216	taskhost.exe	106
PID 1980 wrote to memory of 904	1980	WScript.exe	107
PID 1980 wrote to memory of 904	1980	WScript.exe	107
PID 1980 wrote to memory of 904	1980	WScript.exe	107
PID 904 wrote to memory of 300	904	taskhost.exe	108
PID 904 wrote to memory of 300	904	taskhost.exe	108
PID 904 wrote to memory of 300	904	taskhost.exe	108
PID 904 wrote to memory of 2184	904	taskhost.exe	109
PID 904 wrote to memory of 2184	904	taskhost.exe	109
PID 904 wrote to memory of 2184	904	taskhost.exe	109
PID 300 wrote to memory of 1584	300	WScript.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
"C:\Users\Admin\AppData\Local\Temp\5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\LiveKernelReports\taskhost.exe
  "C:\Windows\LiveKernelReports\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89689358-dce0-4db6-acbc-612c8ad7a9a2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\LiveKernelReports\taskhost.exe
      C:\Windows\LiveKernelReports\taskhost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5327336b-ecf4-4f65-84e0-f84144428ddd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\LiveKernelReports\taskhost.exe
        
        C:\Windows\LiveKernelReports\taskhost.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dc64864-c3b2-4ad2-b298-66de2162299f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\LiveKernelReports\taskhost.exe
        
        C:\Windows\LiveKernelReports\taskhost.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63b36337-4b09-4f00-bbf8-c40fbb38b7c7.vbs"
        9⤵
        
        PID:1336
        
        C:\Windows\LiveKernelReports\taskhost.exe
        
        C:\Windows\LiveKernelReports\taskhost.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2daa7eba-4b19-45cd-99ec-f82680f7b7fc.vbs"
        11⤵
        
        PID:2292
        
        C:\Windows\LiveKernelReports\taskhost.exe
        
        C:\Windows\LiveKernelReports\taskhost.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8caebe1-0fea-4136-a636-bda73965b953.vbs"
        13⤵
        
        PID:2840
        
        C:\Windows\LiveKernelReports\taskhost.exe
        
        C:\Windows\LiveKernelReports\taskhost.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ec6b9e1-b2af-4297-bc7e-2c65a5af85cc.vbs"
        15⤵
        
        PID:1048
        
        C:\Windows\LiveKernelReports\taskhost.exe
        
        C:\Windows\LiveKernelReports\taskhost.exe
        16⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3e32b9f-46d3-4861-8fac-e241148dfa49.vbs"
        15⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1d800fc-4ea5-4902-80f1-66d9a894406f.vbs"
        13⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\716d2f61-11ed-4fd0-b33a-0c4817480b8b.vbs"
        11⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e828f3f-be2b-4997-8ab1-9c467124af21.vbs"
        9⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c0c474-526f-4f2c-98d1-66332778dce3.vbs"
        7⤵
        
        PID:2184
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7026ad7f-639d-4148-b4b6-f5946edb6586.vbs"
        5⤵
        
        PID:316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2a0eac0-bc95-425a-9b11-d347c9c7926e.vbs"
    3⤵
    PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\MCX\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ehome\MCX\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\MCX\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\lt-LT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SysWOW64\lt-LT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\lt-LT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\OFFICE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\OFFICE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\OFFICE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\inf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\en-US\taskhost.exe

Filesize
1.7MB

MD5
91d5b1fec8dd4577f6cc810bb3276174

SHA1
a11133392be0d7a675085cecbcebd070bdf8f4b4

SHA256
fa8fc15b5b16af8a76af0ec08428717d42e16920a6ad44167a6fba0469a077c3

SHA512
6b9f4a8911763a6b7b6ec2c6e2203f6cfef5197efcfdf8ca684a2e87d5e63ae0432275c532abd7f58207bd9351f308a398c8587cbdac40ad3bda78915b46201d

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe

Filesize
1.7MB

MD5
dca6f8f75e368037d4fcafea0d5c3af8

SHA1
acb21bfd32645a56c0fe45a7005dad8c860c2fd8

SHA256
c58ba932ed51484f2d24bb6f0e1ba22f51318de1679111c3b33c8b8c4b1a574b

SHA512
534a55d80733d173950187b800d7ea725e857596f07858276db97910b3637c78e75d9409b5f8493c4698462785b907ac322c0d166cd4080850c5b22c4d7bc16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2daa7eba-4b19-45cd-99ec-f82680f7b7fc.vbs

Filesize
717B

MD5
02ae75d7c6466ad75019a534595744b4

SHA1
81387517c7a15c852161518516c9cda7141e63a2

SHA256
3dec05289dcff70a07ccff8e29aeb85f892bc42b021b9a3a3a6300e254707c39

SHA512
27083e80c5240145769c262781b7a8f3b0d43d54afdcdd1aa0385fa6f7d8c790cea079dcfa7d7192b7c4592d6f760646b943f78567200330f421780e42024730

Download Submit
C:\Users\Admin\AppData\Local\Temp\5327336b-ecf4-4f65-84e0-f84144428ddd.vbs

Filesize
717B

MD5
0479e0734c805b05f790f909c1e87387

SHA1
494d7e5c6b7cc4fcff3baedd22563fadd14a2563

SHA256
8234fae2535370e0768976dd3de85d470af60a20981baaa0be1580dc8e33cc33

SHA512
2da2673e6ceec2164cada555f09b50f748d391f075f12ccfd01ee349850678a22c363c2903f1e20a3281d6d58078722a57d621dfcecac226abec0f14d5afbab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\63b36337-4b09-4f00-bbf8-c40fbb38b7c7.vbs

Filesize
717B

MD5
fb5f0d223dbafa573282f5efbed81ee9

SHA1
d41f5fc38bb4647bfdb1abdb4df3f182adb08494

SHA256
3957694211450a0604fcf1f1132fb89d847a6603f8ac954627d0b4d8ce871fe7

SHA512
e4eb75e3fd1051004ea2cb9701ff3683752bb65c270c24bfe15de26771859054df53de6209285a24b903d2f2cadbf3268e7eddc66c9fb4a25f264990a1fc7437

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc64864-c3b2-4ad2-b298-66de2162299f.vbs

Filesize
716B

MD5
e41d667c203ef626decfd90f24bf7041

SHA1
7885e55cc9e7616ed0235b96bfd7c0adae86bba9

SHA256
f29cf42f0ff9a24bee2d99f8719a6e93bbbe5a61b586084bb4366afe86f2c66d

SHA512
ab05992f319cb4cc9697fcf2053f49c4ae9a890e0e8b9ec43729221a386995f0f77694d5e8f23ca3cf11006d15bf84b1287b48274ad8ba71b112bf39f73bb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ec6b9e1-b2af-4297-bc7e-2c65a5af85cc.vbs

Filesize
717B

MD5
6b43c0202f3e7574bde644996ffb64b9

SHA1
6a36a8912f9fe3e09627dd32e52a94dd22bc0ac6

SHA256
c0d29f17ff8b9d16b85988f522769406b9ea1cd1165f87c919421e7ae04f6c45

SHA512
5f68632851c85fd4cc0d311715d1d3f1dc1d7f22456177d2639a7d5b6e81fb19160c2bf8b1a6c75b137642538bf129642ea40488e1146ddab216c525c249e7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\89689358-dce0-4db6-acbc-612c8ad7a9a2.vbs

Filesize
717B

MD5
15c8142179a10010948933ce2c569c7b

SHA1
42eacfcf52bd9f052ab26ff0ed1f876c346a820f

SHA256
462a148ee3e5b972b72e68e0074a660424340490fb5506bdfe28a3434916dd86

SHA512
fd54ade58929745dd6eadb045c98711a6e0bd79186cc895f07b61c68d4d600b98db094c2d958908539477585e0d88c64e4d7d4d9d181fa2a22d701b6f38070cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2a0eac0-bc95-425a-9b11-d347c9c7926e.vbs

Filesize
493B

MD5
14d5a3838cd4eef7c80d3bfb47947a71

SHA1
219e39023dbde5f686a8b9cd1bafcceb83860568

SHA256
dc32b34a14f6f6cf5d249dd30a8a752625c0de0882fb65f1202c174b3ccaa930

SHA512
42985bf29e6b781be19fde497837d9ea0b4be5b0cd4a13fdfab33e4924b2cb4d2f78119b43dbb40c5c7c0497b5120b47001d6915a4f30f77c41c2b75cb73f879

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8caebe1-0fea-4136-a636-bda73965b953.vbs

Filesize
717B

MD5
4e103b9df320061a86a15c3a25597240

SHA1
dc697ea4a7c733420043ff6805c478d427d11e34

SHA256
da018d5276ad743471708cdbdceaff7a09e3514b6f17ac66fdb1a96934343611

SHA512
2c29859e3b3b54ade2701221b271f64371cc24d2c01a24fd83e3a42ec47705b606d03ba638fbb49affc4d0c56e6cc7023ba05757a002e22ab602e057dcf34781

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99a9305d343e37fc0a60cd88e3727b72

SHA1
bdcb6b5906aea0850f067f8f494de4689f67961d

SHA256
a293990d0449daadb8abd61c48ce7f32afbaf95cd11c71365ea4b232a78e315f

SHA512
b1202f7b676c5cec0bd42cef5e9413e2a4077b238a361d5e68fecba5feb19d6b240e2ccbb964ee0ddca5091e8e08ade9f2cfe25675c03d9e4aba39a0e83e489e

Download Submit
C:\Windows\SysWOW64\lt-LT\sppsvc.exe

Filesize
1.7MB

MD5
8a0759f7965b2fd0495935ea7ddc0040

SHA1
023336bef59c7ea574d784f201689d63f81045de

SHA256
5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383

SHA512
544222b58f4abce10638aef33670e369caa14749590d0c756b1c48fd9c0dbc4648782b107351982965ddefa23b9a6f1dc6354353bf41c7ecc0903f597f3a8611

Download Submit
memory/904-326-0x0000000000C90000-0x0000000000E50000-memory.dmp

Filesize
1.8MB

Download
memory/1092-374-0x00000000003E0000-0x00000000005A0000-memory.dmp

Filesize
1.8MB

Download
memory/1584-338-0x0000000000090000-0x0000000000250000-memory.dmp

Filesize
1.8MB

Download
memory/1924-350-0x0000000000B00000-0x0000000000CC0000-memory.dmp

Filesize
1.8MB

Download
memory/1940-386-0x0000000001320000-0x00000000014E0000-memory.dmp

Filesize
1.8MB

Download
memory/2796-362-0x0000000001130000-0x00000000012F0000-memory.dmp

Filesize
1.8MB

Download
memory/2884-12-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/2884-13-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2884-175-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2884-209-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-221-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-1-0x0000000000A00000-0x0000000000BC0000-memory.dmp

Filesize
1.8MB

Download
memory/2884-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-17-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2884-278-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2884-15-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2884-16-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2884-14-0x0000000000990000-0x000000000099E000-memory.dmp

Filesize
56KB

Download
memory/2884-18-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2884-11-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/2884-9-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2884-8-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2884-7-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2884-6-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/2884-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2884-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2972-246-0x0000000000BC0000-0x0000000000D80000-memory.dmp

Filesize
1.8MB

Download
memory/3044-267-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/3044-257-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download