dcrat | 65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Size

1.7MB
MD5

f1c7ba434142190a707f597065fda0fc
SHA1

1c2991037471e1247910ca32f4435309bf7ff7fd
SHA256

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53
SHA512

9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv0:OTHUxUoh1IF9gl23

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2276	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1220-1-0x0000000000CA0000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/files/0x000500000001941b-27.dat	dcrat
behavioral1/files/0x000700000001a494-96.dat	dcrat
behavioral1/files/0x000b000000016ca5-119.dat	dcrat
behavioral1/files/0x00060000000194e4-142.dat	dcrat
behavioral1/files/0x000600000001955c-163.dat	dcrat
behavioral1/files/0x00060000000195ff-184.dat	dcrat
behavioral1/memory/2064-248-0x0000000000070000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1504-295-0x0000000000D80000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/976-319-0x0000000000DA0000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/620-331-0x0000000000F50000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1260-344-0x00000000011C0000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2132-356-0x00000000003C0000-0x0000000000580000-memory.dmp	dcrat
behavioral1/memory/1824-368-0x0000000000FE0000-0x00000000011A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe
1296	powershell.exe
2196	powershell.exe
2676	powershell.exe
2176	powershell.exe
1856	powershell.exe
1720	powershell.exe
2332	powershell.exe
2844	powershell.exe
2212	powershell.exe
2896	powershell.exe
1712	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Executes dropped EXE 8 IoCs

pid	Process
2064	dllhost.exe
1504	dllhost.exe
2116	dllhost.exe
976	dllhost.exe
620	dllhost.exe
1260	dllhost.exe
2132	dllhost.exe
1824	dllhost.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\spoolsv.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Photo Viewer\5940a34987c991	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXCB68.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCXDA14.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXD7A2.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCXDA15.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Google\Chrome\Application\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Photo Viewer\dllhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC6C3.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXCB69.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Google\Chrome\Application\1bf8c28e80639f	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Portable Devices\wininit.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC6C4.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXD810.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\dllhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\spoolsv.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\f3b6ecef712a24	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech\Engines\SR\csrss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\schemas\AvailableNetwork\69ddcba757bf72	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Speech\Engines\SR\csrss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Speech\Engines\SR\886983d96e3d3e	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\smss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Speech\Engines\SR\RCXC8C7.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\schemas\AvailableNetwork\smss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXC23C.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXC24D.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Speech\Engines\SR\RCXC936.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
708	schtasks.exe
2152	schtasks.exe
1620	schtasks.exe
2872	schtasks.exe
2236	schtasks.exe
1632	schtasks.exe
896	schtasks.exe
1048	schtasks.exe
1312	schtasks.exe
2916	schtasks.exe
1260	schtasks.exe
2292	schtasks.exe
2740	schtasks.exe
804	schtasks.exe
1556	schtasks.exe
2204	schtasks.exe
1408	schtasks.exe
1980	schtasks.exe
692	schtasks.exe
2940	schtasks.exe
2864	schtasks.exe
2256	schtasks.exe
2136	schtasks.exe
2192	schtasks.exe
2568	schtasks.exe
2096	schtasks.exe
2556	schtasks.exe
1852	schtasks.exe
1236	schtasks.exe
2828	schtasks.exe
2848	schtasks.exe
2880	schtasks.exe
1264	schtasks.exe
2084	schtasks.exe
620	schtasks.exe
584	schtasks.exe
2996	schtasks.exe
2856	schtasks.exe
2216	schtasks.exe
1784	schtasks.exe
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2844	powershell.exe
1856	powershell.exe
2896	powershell.exe
1712	powershell.exe
2212	powershell.exe
2196	powershell.exe
1296	powershell.exe
2176	powershell.exe
2088	powershell.exe
1720	powershell.exe
2676	powershell.exe
2332	powershell.exe
2064	dllhost.exe
2064	dllhost.exe
2064	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2064	dllhost.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1504	dllhost.exe
Token: SeDebugPrivilege	2116	dllhost.exe
Token: SeDebugPrivilege	976	dllhost.exe
Token: SeDebugPrivilege	620	dllhost.exe
Token: SeDebugPrivilege	1260	dllhost.exe
Token: SeDebugPrivilege	2132	dllhost.exe
Token: SeDebugPrivilege	1824	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2212	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	74
PID 1220 wrote to memory of 2212	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	74
PID 1220 wrote to memory of 2212	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	74
PID 1220 wrote to memory of 2896	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	75
PID 1220 wrote to memory of 2896	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	75
PID 1220 wrote to memory of 2896	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	75
PID 1220 wrote to memory of 1712	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	76
PID 1220 wrote to memory of 1712	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	76
PID 1220 wrote to memory of 1712	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	76
PID 1220 wrote to memory of 2196	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	77
PID 1220 wrote to memory of 2196	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	77
PID 1220 wrote to memory of 2196	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	77
PID 1220 wrote to memory of 2676	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	78
PID 1220 wrote to memory of 2676	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	78
PID 1220 wrote to memory of 2676	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	78
PID 1220 wrote to memory of 1856	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	79
PID 1220 wrote to memory of 1856	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	79
PID 1220 wrote to memory of 1856	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	79
PID 1220 wrote to memory of 1720	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	80
PID 1220 wrote to memory of 1720	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	80
PID 1220 wrote to memory of 1720	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	80
PID 1220 wrote to memory of 2176	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	81
PID 1220 wrote to memory of 2176	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	81
PID 1220 wrote to memory of 2176	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	81
PID 1220 wrote to memory of 2332	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	82
PID 1220 wrote to memory of 2332	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	82
PID 1220 wrote to memory of 2332	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	82
PID 1220 wrote to memory of 2844	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	83
PID 1220 wrote to memory of 2844	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	83
PID 1220 wrote to memory of 2844	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	83
PID 1220 wrote to memory of 2088	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	84
PID 1220 wrote to memory of 2088	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	84
PID 1220 wrote to memory of 2088	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	84
PID 1220 wrote to memory of 1296	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	85
PID 1220 wrote to memory of 1296	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	85
PID 1220 wrote to memory of 1296	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	85
PID 1220 wrote to memory of 2064	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	98
PID 1220 wrote to memory of 2064	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	98
PID 1220 wrote to memory of 2064	1220	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	98
PID 2064 wrote to memory of 2932	2064	dllhost.exe	99
PID 2064 wrote to memory of 2932	2064	dllhost.exe	99
PID 2064 wrote to memory of 2932	2064	dllhost.exe	99
PID 2064 wrote to memory of 3036	2064	dllhost.exe	100
PID 2064 wrote to memory of 3036	2064	dllhost.exe	100
PID 2064 wrote to memory of 3036	2064	dllhost.exe	100
PID 2932 wrote to memory of 1504	2932	WScript.exe	101
PID 2932 wrote to memory of 1504	2932	WScript.exe	101
PID 2932 wrote to memory of 1504	2932	WScript.exe	101
PID 1504 wrote to memory of 2264	1504	dllhost.exe	102
PID 1504 wrote to memory of 2264	1504	dllhost.exe	102
PID 1504 wrote to memory of 2264	1504	dllhost.exe	102
PID 1504 wrote to memory of 1780	1504	dllhost.exe	103
PID 1504 wrote to memory of 1780	1504	dllhost.exe	103
PID 1504 wrote to memory of 1780	1504	dllhost.exe	103
PID 2264 wrote to memory of 2116	2264	WScript.exe	104
PID 2264 wrote to memory of 2116	2264	WScript.exe	104
PID 2264 wrote to memory of 2116	2264	WScript.exe	104
PID 2116 wrote to memory of 2924	2116	dllhost.exe	105
PID 2116 wrote to memory of 2924	2116	dllhost.exe	105
PID 2116 wrote to memory of 2924	2116	dllhost.exe	105
PID 2116 wrote to memory of 2260	2116	dllhost.exe	106
PID 2116 wrote to memory of 2260	2116	dllhost.exe	106
PID 2116 wrote to memory of 2260	2116	dllhost.exe	106
PID 2924 wrote to memory of 976	2924	WScript.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
"C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Program Files\Windows Photo Viewer\dllhost.exe
  "C:\Program Files\Windows Photo Viewer\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5b92f49-c8c6-46a4-a70e-a0db0d92c949.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Program Files\Windows Photo Viewer\dllhost.exe
      "C:\Program Files\Windows Photo Viewer\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\256ed08a-dffa-47a0-b081-5e7908479c18.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Program Files\Windows Photo Viewer\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b770e92-9d9e-40f0-bbed-af66a3f90f2c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Program Files\Windows Photo Viewer\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccd83492-f090-4b3b-bff6-f49ab0f23c26.vbs"
        9⤵
        
        PID:1816
        
        C:\Program Files\Windows Photo Viewer\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd0b25b-2ea4-476a-86a4-2a2017ec72bc.vbs"
        11⤵
        
        PID:2876
        
        C:\Program Files\Windows Photo Viewer\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec7e4b8e-b82f-4cb5-82d4-7e434bd418bd.vbs"
        13⤵
        
        PID:304
        
        C:\Program Files\Windows Photo Viewer\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04f398ef-d68b-4a3e-96c9-f7979b4fa92d.vbs"
        15⤵
        
        PID:320
        
        C:\Program Files\Windows Photo Viewer\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3573397e-4473-4f6d-96ee-9a5dc35d6123.vbs"
        17⤵
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9195e1ed-bd42-4b1f-bc81-5637eb9be98b.vbs"
        17⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2939bbda-cd78-405d-a2f1-a9920364d24a.vbs"
        15⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98938b39-77b9-4288-917c-d979ed42c4a5.vbs"
        13⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37426025-bfea-4afa-b808-12db07b5b495.vbs"
        11⤵
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3f0a3ac-0e91-4568-99c9-9227af760856.vbs"
        9⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14320672-a902-4cf2-b223-d2f7b6e45381.vbs"
        7⤵
        
        PID:2260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c96dda-90b8-40b2-af30-ba7918b97a3d.vbs"
        5⤵
        
        PID:1780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bbace4e-8405-4806-bf40-b00f8c0af71a.vbs"
    3⤵
    PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\AvailableNetwork\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\AvailableNetwork\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53" /sc ONLOGON /tr "'C:\Users\Default\Desktop\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\SR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\SR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\SR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temporary Internet Files\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temporary Internet Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temporary Internet Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RCXCE48.tmp

Filesize
1.7MB

MD5
12e707efe2524b8230a5637b7df6f2d2

SHA1
38c360dbbb0cdd3f36073c0b72c5567c05dcf0a3

SHA256
73b009aa39dc9610b716ae6b7378427b0d40a03e2236952e482c917a5823d546

SHA512
e781fb588f485e462b8d976b96e013f284f38395dbd4a0f4a37060cef36d60467e9987e0b7995aec3bc794fda6c1fb1262824c5537ff0e34ce312a9f93e0e9a4

Download Submit
C:\Program Files\Windows Photo Viewer\dllhost.exe

Filesize
1.7MB

MD5
3992e9a4d732712b7a1461c43bb7f6a1

SHA1
299eb4766511dad9aa081e52d5a378540558e579

SHA256
ee56cad0610ac5ad9755044c7734a4ab905d2b75c3227c5252f59f0084b95790

SHA512
537d868ba3ddadedfc9878859a952ff03f532d26d7906d60a80b1368a121f0b4a1746fefdaede4e723daa1a14a1134ec66b3deed8677674398cd60c38b669406

Download Submit
C:\Program Files\Windows Portable Devices\wininit.exe

Filesize
1.7MB

MD5
f1c7ba434142190a707f597065fda0fc

SHA1
1c2991037471e1247910ca32f4435309bf7ff7fd

SHA256
65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

SHA512
9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\04f398ef-d68b-4a3e-96c9-f7979b4fa92d.vbs

Filesize
725B

MD5
5fb203dec781c5fd7d374ed445336138

SHA1
e455ce4a948d4b1eef4d5335739d9756c275256f

SHA256
9dcde58a5e85736e2cc0e98b1980c1d0e38e62dcad87d00cbf1bc10a30162dec

SHA512
b25964cff0a64729cd2a3a5d4591776a12e5eaee785f170cd2cd27d33e2923fce803f48d8353acd03dd4e7c84281676a9999d5122e8e330bdb9c95da267e2d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dd0b25b-2ea4-476a-86a4-2a2017ec72bc.vbs

Filesize
724B

MD5
de476613f525702a6c0397e4cf00a20d

SHA1
96bff98e48865f5d0a0831d27595c46c8a33cedb

SHA256
c51ef6b92529f467815c43250aeaa22e36435716722111adda422de34ee4a5e1

SHA512
9b9e71a4e42b3cd15bfab1734ce9e5f612bfcd64389b3214bba923f67cea2a7dd428ccd7bcc70e31581103974df670343ab3c7ec93b4e30b478718a2c4b3daf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\256ed08a-dffa-47a0-b081-5e7908479c18.vbs

Filesize
725B

MD5
cc3e8a83baaa74749b8b288635f0bfd2

SHA1
714eecd774925324106fe2757001905bc613dc52

SHA256
6247252bad5dc8ef1e06eefc8a3d5cfa33b4360689c745c81640f736d5c3a98d

SHA512
4205e62fdecbcd4e222230d4c9f6ff238d22fa3c839c303c53fe549389379852849443996f7366eeedf04b43acd7c8141e4e430e2b64856f2a2a7cf33cacfcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3573397e-4473-4f6d-96ee-9a5dc35d6123.vbs

Filesize
725B

MD5
0e90eb07a29736670cb38e7bf65d9777

SHA1
eaf14097a1e89f98cbcbcc55ceef2f4d51945d34

SHA256
49dc5e937f66fd8effe356eac92452924f05d48749ce3e28db8afabfa277167a

SHA512
c0b8f33fc34194596f1f902299e536be3c4767c876f94c66303e6111becb6dbb6381893509aac45b5c868e16297fc0c0dd7c53801432f39b9dda2f5a8da4c9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b770e92-9d9e-40f0-bbed-af66a3f90f2c.vbs

Filesize
725B

MD5
9b52bc73a2823eacb6826f1c5c22cc0d

SHA1
26eb97bc9a4e6d81d570a39e1251b2d1ea82a0af

SHA256
885e21aa3a97f960a2f901e3dc9af80a9f455321e9004f8e04707502e88a6593

SHA512
9a46b552b632a522ebc013cf6fe818150c6232f0f4f5ebdbfcb9386c5a6fa57f771ec5f1c309ccbee10472eb3235184a66a1e26e654992dcc916ab45fb445d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bbace4e-8405-4806-bf40-b00f8c0af71a.vbs

Filesize
501B

MD5
7ee1d706d92a68be7750872c61351da0

SHA1
0030c9a6730e01c2fc4194c695c1c463a73d9d78

SHA256
2d0b3262e16256978b23b7aff6367fa019cef0318cd9524b39ed4e57fe4be938

SHA512
3a5da1530e34f4ef42b3726e86cdd72ce4892024ac07f68dcb0b5fda8b469c75f3235d8f6a23005db11e01a66e33d1269fd3eb5cd79f64984cef608996311e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5b92f49-c8c6-46a4-a70e-a0db0d92c949.vbs

Filesize
725B

MD5
f9f33d88d14768368dfd185204b32f3e

SHA1
d98980e0275effaa6cd6a1f69e779a1c090cbdd6

SHA256
8b3cbd30cbfaf33c1c5f4932e44df5eb859b1dcf28b335544d509228a3b7bf85

SHA512
ddef1ed1e8c7937819d3ad329609d144e3dc75f465e58477f4add6cfaa311160ba739819e463880c394a22dcc93a52f6d6296bad82282ba5efaca6c5ebb1d1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccd83492-f090-4b3b-bff6-f49ab0f23c26.vbs

Filesize
724B

MD5
d7470250041aee58eca2d81bd749ea0d

SHA1
7b24782dce47bcbdfe52252e3fee4f408ee29a0e

SHA256
974d5025d87de4044327a88bfff4feb1051429404bee486c30f15bd53a8a29ba

SHA512
4943db67a423b668f54a7b2ef736d0fc4b5a6a397dcf7cf79b279c163d69e82bf2d6a0eefdbec7965147696b9e73f2a456ce444ae90c6012a4823ecb709b8279

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec7e4b8e-b82f-4cb5-82d4-7e434bd418bd.vbs

Filesize
725B

MD5
fbef17f2dc5646937ce8029d3c4c0539

SHA1
5cc57ef1861cad6e4cf0f43d208050b759dfd89c

SHA256
20df8a19f095604df2779e1987d38722576f1d501161cb71187e6fd9dcac6897

SHA512
faedf01d9578709d73f554065a3d3b796f1798abc3f4d8c5e7fcff864b00848643338bf42fb327c9b0f29540c82ad13362f977e5b55f901bc4a4f676617d7c22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6548d6bcf62306ff003c922c629cfce1

SHA1
836193b330ca9e60fc0e5fb4b8f00099821a25d6

SHA256
50acb2914f9fe36c44c3e787dd3ab23ff1bf006770f5615122f38bf966940bbc

SHA512
2e40552ff61e491e59f56de65d3d7ca79e75f86506763693723e0c975741ebf2960097ab7c5a7c0b9302f3480869b0d075a2687aea1978e1d8e7e6e24ee22cf6

Download Submit
C:\Users\Admin\OSPPSVC.exe

Filesize
1.7MB

MD5
ce09b547a30b6a628a78aeeeadcf0655

SHA1
200789e1fcbca5e719a31b8a4c6246282ec88c38

SHA256
d3a3e75b98dced45955326e50e660eddded64166f9096ad282cfaa127f5e86fe

SHA512
17ba6304136a17576bce5b5d373195b87abdac7a68d54bf41215ef1ada31071ab33727d98de12fe3c538c12cb14dadf750af01b95468e65c70f261709fb3ccf6

Download Submit
C:\Users\Default\Desktop\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Filesize
1.7MB

MD5
a59a7cba6a2e9d08e1bd799ae2fef10f

SHA1
805b5f9e9022204a3d106d29cd6a70c61175cd2d

SHA256
ae7e73feb90e7f1c807a810006f1cdc4ec1c23d3d1e0e969396716f3708b11b4

SHA512
40262a6cf8403a2d11b08188c09639eb5ffa3c15ea18ccefa270b07468c8278e4ed977c878d09f84c69ca2ee8cef854bc9764fd979ad7f1df950774be79cf6a3

Download Submit
C:\Windows\Speech\Engines\SR\csrss.exe

Filesize
1.7MB

MD5
58b1750903677a940e49ebe09d949fe0

SHA1
be1654e76b4d6439c44015f05df953c7575535a2

SHA256
60d9f1093862aba4b370d767f233e840907bbdd6ae8c97b26473fdd1d78b4470

SHA512
7d74407832033ebef2969125aac6818a53b286878d80963f248d00a23528149bd7f9813437aa421892537e0fc3a7c9616bfacd75a3012e63e8ef623040676018

Download Submit
memory/620-331-0x0000000000F50000-0x0000000001110000-memory.dmp

Filesize
1.8MB

Download
memory/620-332-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/976-319-0x0000000000DA0000-0x0000000000F60000-memory.dmp

Filesize
1.8MB

Download
memory/1220-13-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1220-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1220-17-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/1220-16-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/1220-177-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/1220-15-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1220-201-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-14-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/1220-216-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-1-0x0000000000CA0000-0x0000000000E60000-memory.dmp

Filesize
1.8MB

Download
memory/1220-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-249-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1220-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/1220-12-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1220-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1220-11-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1220-18-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-9-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1220-8-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1220-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/1220-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1260-344-0x00000000011C0000-0x0000000001380000-memory.dmp

Filesize
1.8MB

Download
memory/1504-295-0x0000000000D80000-0x0000000000F40000-memory.dmp

Filesize
1.8MB

Download
memory/1712-241-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1824-368-0x0000000000FE0000-0x00000000011A0000-memory.dmp

Filesize
1.8MB

Download
memory/2064-248-0x0000000000070000-0x0000000000230000-memory.dmp

Filesize
1.8MB

Download
memory/2116-307-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2132-356-0x00000000003C0000-0x0000000000580000-memory.dmp

Filesize
1.8MB

Download
memory/2844-247-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download