dcrat | 65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Size

1.7MB
MD5

f1c7ba434142190a707f597065fda0fc
SHA1

1c2991037471e1247910ca32f4435309bf7ff7fd
SHA256

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53
SHA512

9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv0:OTHUxUoh1IF9gl23

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2776	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2496-1-0x00000000003D0000-0x0000000000590000-memory.dmp	dcrat
behavioral1/files/0x000500000001942c-27.dat	dcrat
behavioral1/files/0x000600000001a377-83.dat	dcrat
behavioral1/files/0x00150000000141df-141.dat	dcrat
behavioral1/files/0x000a000000019506-199.dat	dcrat
behavioral1/memory/2716-283-0x0000000000AE0000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2540-295-0x0000000000F70000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/1724-319-0x0000000000380000-0x0000000000540000-memory.dmp	dcrat
behavioral1/memory/2708-331-0x0000000000960000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/848-344-0x0000000000C50000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2308-356-0x00000000000A0000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2904-369-0x0000000001310000-0x00000000014D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2220	powershell.exe
2384	powershell.exe
2580	powershell.exe
2724	powershell.exe
1740	powershell.exe
1500	powershell.exe
2616	powershell.exe
2644	powershell.exe
3060	powershell.exe
2696	powershell.exe
316	powershell.exe
1928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Executes dropped EXE 8 IoCs

pid	Process
2716	WMIADAP.exe
2540	WMIADAP.exe
2420	WMIADAP.exe
1724	WMIADAP.exe
2708	WMIADAP.exe
848	WMIADAP.exe
2308	WMIADAP.exe
2904	WMIADAP.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\7a0fd90576e088	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\5940a34987c991	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Mail\it-IT\6ccacd8608530f	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXF87C.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXFE9A.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCX5C2.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCX5D2.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\886983d96e3d3e	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\MSBuild\explorer.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXF166.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXF87D.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXFF09.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Mail\56085415360792	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Mail\it-IT\Idle.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXF136.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Mail\RCXF5FB.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\MSBuild\explorer.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Idle.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Mail\wininit.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Mail\RCXF5FC.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Mail\wininit.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CSC\Idle.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\CSC\v2.0.6\OSPPSVC.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\CSC\Idle.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\CSC\6ccacd8608530f	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\CSC\RCXC7C.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\CSC\RCXC7D.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
1708	schtasks.exe
772	schtasks.exe
2964	schtasks.exe
2380	schtasks.exe
2696	schtasks.exe
2648	schtasks.exe
2184	schtasks.exe
1768	schtasks.exe
2772	schtasks.exe
536	schtasks.exe
1908	schtasks.exe
2976	schtasks.exe
1544	schtasks.exe
300	schtasks.exe
2628	schtasks.exe
2568	schtasks.exe
2632	schtasks.exe
2168	schtasks.exe
840	schtasks.exe
2224	schtasks.exe
2852	schtasks.exe
2748	schtasks.exe
2000	schtasks.exe
2612	schtasks.exe
1156	schtasks.exe
444	schtasks.exe
1360	schtasks.exe
308	schtasks.exe
2880	schtasks.exe
2968	schtasks.exe
2440	schtasks.exe
2796	schtasks.exe
2220	schtasks.exe
2004	schtasks.exe
848	schtasks.exe
2900	schtasks.exe
2804	schtasks.exe
2536	schtasks.exe
2044	schtasks.exe
1576	schtasks.exe
1616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
2644	powershell.exe
2724	powershell.exe
2384	powershell.exe
2696	powershell.exe
2220	powershell.exe
2616	powershell.exe
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2716	WMIADAP.exe
Token: SeDebugPrivilege	2540	WMIADAP.exe
Token: SeDebugPrivilege	2420	WMIADAP.exe
Token: SeDebugPrivilege	1724	WMIADAP.exe
Token: SeDebugPrivilege	2708	WMIADAP.exe
Token: SeDebugPrivilege	848	WMIADAP.exe
Token: SeDebugPrivilege	2308	WMIADAP.exe
Token: SeDebugPrivilege	2904	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2384	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	74
PID 2496 wrote to memory of 2384	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	74
PID 2496 wrote to memory of 2384	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	74
PID 2496 wrote to memory of 2644	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	76
PID 2496 wrote to memory of 2644	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	76
PID 2496 wrote to memory of 2644	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	76
PID 2496 wrote to memory of 3060	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	77
PID 2496 wrote to memory of 3060	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	77
PID 2496 wrote to memory of 3060	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	77
PID 2496 wrote to memory of 2616	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	78
PID 2496 wrote to memory of 2616	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	78
PID 2496 wrote to memory of 2616	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	78
PID 2496 wrote to memory of 2220	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	79
PID 2496 wrote to memory of 2220	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	79
PID 2496 wrote to memory of 2220	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	79
PID 2496 wrote to memory of 1500	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	81
PID 2496 wrote to memory of 1500	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	81
PID 2496 wrote to memory of 1500	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	81
PID 2496 wrote to memory of 1740	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	82
PID 2496 wrote to memory of 1740	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	82
PID 2496 wrote to memory of 1740	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	82
PID 2496 wrote to memory of 2724	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	83
PID 2496 wrote to memory of 2724	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	83
PID 2496 wrote to memory of 2724	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	83
PID 2496 wrote to memory of 1928	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	84
PID 2496 wrote to memory of 1928	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	84
PID 2496 wrote to memory of 1928	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	84
PID 2496 wrote to memory of 316	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	85
PID 2496 wrote to memory of 316	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	85
PID 2496 wrote to memory of 316	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	85
PID 2496 wrote to memory of 2580	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	86
PID 2496 wrote to memory of 2580	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	86
PID 2496 wrote to memory of 2580	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	86
PID 2496 wrote to memory of 2696	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	87
PID 2496 wrote to memory of 2696	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	87
PID 2496 wrote to memory of 2696	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	87
PID 2496 wrote to memory of 2716	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	98
PID 2496 wrote to memory of 2716	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	98
PID 2496 wrote to memory of 2716	2496	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	98
PID 2716 wrote to memory of 2836	2716	WMIADAP.exe	99
PID 2716 wrote to memory of 2836	2716	WMIADAP.exe	99
PID 2716 wrote to memory of 2836	2716	WMIADAP.exe	99
PID 2716 wrote to memory of 2412	2716	WMIADAP.exe	100
PID 2716 wrote to memory of 2412	2716	WMIADAP.exe	100
PID 2716 wrote to memory of 2412	2716	WMIADAP.exe	100
PID 2836 wrote to memory of 2540	2836	WScript.exe	101
PID 2836 wrote to memory of 2540	2836	WScript.exe	101
PID 2836 wrote to memory of 2540	2836	WScript.exe	101
PID 2540 wrote to memory of 2236	2540	WMIADAP.exe	102
PID 2540 wrote to memory of 2236	2540	WMIADAP.exe	102
PID 2540 wrote to memory of 2236	2540	WMIADAP.exe	102
PID 2540 wrote to memory of 956	2540	WMIADAP.exe	103
PID 2540 wrote to memory of 956	2540	WMIADAP.exe	103
PID 2540 wrote to memory of 956	2540	WMIADAP.exe	103
PID 2236 wrote to memory of 2420	2236	WScript.exe	104
PID 2236 wrote to memory of 2420	2236	WScript.exe	104
PID 2236 wrote to memory of 2420	2236	WScript.exe	104
PID 2420 wrote to memory of 1692	2420	WMIADAP.exe	105
PID 2420 wrote to memory of 1692	2420	WMIADAP.exe	105
PID 2420 wrote to memory of 1692	2420	WMIADAP.exe	105
PID 2420 wrote to memory of 2488	2420	WMIADAP.exe	106
PID 2420 wrote to memory of 2488	2420	WMIADAP.exe	106
PID 2420 wrote to memory of 2488	2420	WMIADAP.exe	106
PID 1692 wrote to memory of 1724	1692	WScript.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
"C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Users\Default\My Documents\WMIADAP.exe
  "C:\Users\Default\My Documents\WMIADAP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d0f655f-f65d-4f91-8446-95235fe28add.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Default\My Documents\WMIADAP.exe
      "C:\Users\Default\My Documents\WMIADAP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04921a29-2735-4b38-903c-513f11dae5cd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Default\My Documents\WMIADAP.exe
        
        "C:\Users\Default\My Documents\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5851aac1-d8c1-4e14-ac18-66bdc1bc5a90.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Users\Default\My Documents\WMIADAP.exe
        
        "C:\Users\Default\My Documents\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f529966a-4055-4648-a9f9-b97de003f58b.vbs"
        9⤵
        
        PID:1840
        
        C:\Users\Default\My Documents\WMIADAP.exe
        
        "C:\Users\Default\My Documents\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7579435-a2ba-4410-98c6-f5ec2957b455.vbs"
        11⤵
        
        PID:2192
        
        C:\Users\Default\My Documents\WMIADAP.exe
        
        "C:\Users\Default\My Documents\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b93acd-05a8-426c-9f02-9ed28330230c.vbs"
        13⤵
        
        PID:1788
        
        C:\Users\Default\My Documents\WMIADAP.exe
        
        "C:\Users\Default\My Documents\WMIADAP.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7477a4d-5acd-4138-8c96-58661f4e2c44.vbs"
        15⤵
        
        PID:2240
        
        C:\Users\Default\My Documents\WMIADAP.exe
        
        "C:\Users\Default\My Documents\WMIADAP.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61a1695-6ed0-4b59-a766-620b6e5aa36d.vbs"
        17⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1ade9fc-6007-4bd9-862a-e16b346288a3.vbs"
        17⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d25e8d4-754f-43d3-8486-aac30daec214.vbs"
        15⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f79f6264-390d-46a7-818e-28b75c52d65b.vbs"
        13⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cdd7f60-4de8-4819-aa4f-0e84e476b65d.vbs"
        11⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71246075-d023-4939-9ccd-795f71178b30.vbs"
        9⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e69c19-bb7e-4c96-b7d1-655054a367d7.vbs"
        7⤵
        
        PID:2488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42a2d582-a9c1-4627-905a-acd54a4d47aa.vbs"
        5⤵
        
        PID:956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\355e7d81-700c-409b-b061-cb6e89ffa87e.vbs"
    3⤵
    PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53" /sc ONLOGON /tr "'C:\Users\Default User\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\My Documents\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\CSC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe

Filesize
1.7MB

MD5
7bc46b7fe4624f7972482dd22005350f

SHA1
7cfabd91959f7f20df32d6695f6b30c3b017a28f

SHA256
c17204872b884377882041637ef3c4210aa102f544a1f8c66e613ebb98acd59b

SHA512
190ebe3c74d5bc5fe895e6bbda684b0334bc94fea1a1fb9fb9b341e4d927f19d0d43c3b8b32e2dcd010be0d22e0d0df7aa34419b807b95ec9f1b7a579a08bd40

Download Submit
C:\Program Files (x86)\MSBuild\explorer.exe

Filesize
1.7MB

MD5
f1c7ba434142190a707f597065fda0fc

SHA1
1c2991037471e1247910ca32f4435309bf7ff7fd

SHA256
65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

SHA512
9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe

Filesize
1.7MB

MD5
c065072b4447026c6ea9ce6b85a7a4a1

SHA1
e397e5706ed239e4e96f158befa0c05983f64dc1

SHA256
b27961f0c5d47db596d6b8b142cfb294c881719214059aff0d188bbf69a692ec

SHA512
ad01d150740a83a37c9a84df1cfe59b32764543d0d58b2fba18bbb9de67a90162b5c706815bd304010145f7b020ccc241c9a836478760f1dad8f663fb3e8c3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\04921a29-2735-4b38-903c-513f11dae5cd.vbs

Filesize
717B

MD5
8663be7f8a450c47750897938f66091c

SHA1
caf16571e59363cafdf5ac0147241957fd9d8122

SHA256
72595f09247cf21b8682f90485e627860ef14b7b84459751b6044a304956520c

SHA512
a010d99bce0186afccd4eea8058461c6659539c0e667ca9f329d25de352f91bb56a3ca3e57968e5f4c9e203e4599b0e81fe9d9bc63efa396ca703abe2c696290

Download Submit
C:\Users\Admin\AppData\Local\Temp\08b93acd-05a8-426c-9f02-9ed28330230c.vbs

Filesize
716B

MD5
8f732eaec8e7fa4fd47b3c876edfe115

SHA1
fb5e7f4df33608089edd214d409cf42fa6d88e41

SHA256
16300fe1c614ae7f64e39d1fc7071e4accd0e608f75819565c7ed94158d1430c

SHA512
e60dd79ba40a8c80e3d8cde31be30c931a76bbfb1ac03f965bb72df3d1c94deb62e1439e0176f79b84e76f98f431fa874706a7e4737fae924a0b80c943519d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\355e7d81-700c-409b-b061-cb6e89ffa87e.vbs

Filesize
493B

MD5
88534faa33b5ea16da544907a71834af

SHA1
78e64c1a462bd5fa7319ea7553236e8df801ba0f

SHA256
e40525277d2344844b2091213a4dd3e6de61b7fc2df3866cd39cd4d9583e76e0

SHA512
56e47889d6c31f713fa40d46895a36a55e238ec60bb21b84a8ac001ce15ed56811fbdf3222f54ac5a6ab3813b50ad1e12e065ebb9a9e206740922aada3794388

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0f655f-f65d-4f91-8446-95235fe28add.vbs

Filesize
717B

MD5
62a956da9b588c2d8d73049a568c0329

SHA1
61921a102c10dbd5f7a9b2d2fb3a97e8e9c68ebd

SHA256
f46a1ac85dff3e31abf7ac315e77bdcff285ca3c6689f777f0b010d26ec6642c

SHA512
d1b09ab42fb21a17537354e84490dbfb69f4e1b203570e271c909b16b2a948a8216731b0523bea361d5209ecd46d70f0be3ab3f8f789b78f7b6a2ad27c1417b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851aac1-d8c1-4e14-ac18-66bdc1bc5a90.vbs

Filesize
717B

MD5
26d7a7c55845eb38b69dc16d4b1d2108

SHA1
5ba992c0424681a8f9027daa46a07274ca05a155

SHA256
ada29fba65893502f7afe407c166f572b31cde99efd140d4fb026dccc01bf56c

SHA512
298b281fc79f75d0061e7015dad8bf524e7c7a548df99a72dbd202a886989c1b7f50633c26ebdcccb3c88d55be4cca632bbd63dde7cc63872c5d03cdc99751fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a61a1695-6ed0-4b59-a766-620b6e5aa36d.vbs

Filesize
717B

MD5
e7ffd04e1dd54986ab5cdbb3a1ab6a6f

SHA1
19f7c9b1eb370520dcafebd078966036d121f79c

SHA256
c48583c29981c24b8b899c6756527e81ec29f7ad4e6546fc2f6ae32a62c0722c

SHA512
c14989d750e8e81134464013aacfe623de12391cc767d3acf34aa6adf2026fd5f27ba2db6a68a7551de6e39f54788416cadd5fddcd5d2dee84769993e7b06ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7477a4d-5acd-4138-8c96-58661f4e2c44.vbs

Filesize
717B

MD5
075591d319ca7f861518d3c299159648

SHA1
370b5018db1571b37ce711ab81b3c51134595fd6

SHA256
13a27f71c9ccdfc021166a80a844c1277aea6e55270be8f86192ddfc075f234a

SHA512
2308f746ff5a45a81b1685d492183484414c1423baf8a0e5186befb99e36f9863422407df160630f7e7e8b1e1efc5a2c3d4bc364d274ef88a7dfa53b51fd1631

Download Submit
C:\Users\Admin\AppData\Local\Temp\f529966a-4055-4648-a9f9-b97de003f58b.vbs

Filesize
717B

MD5
110e416fbd9d11c19d231c6f43e2fcad

SHA1
11c4574cfe30a755fdfc52c3f73e30be6ffe2c5b

SHA256
eb7980f9957ddd04103ec885c286bec357d5c7b09a3f082926727450f764f2ed

SHA512
d7fe0a27c6dcf6464cdc5a210eb4d58a6b91a81f6b629616226988fad8799589a9341a23ab5bd2ee8f3b08aa1b31d184c766c083b5eeeddf1b83093446cb6cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7579435-a2ba-4410-98c6-f5ec2957b455.vbs

Filesize
717B

MD5
1d209458e9f1748cbeed0a0995165b34

SHA1
a154bf31d558842fc7f8b0f2668d47d102b60bd9

SHA256
d200810cf72095a64614630fa9bc6d12fe7cd421a641820e52da6f1f43d667e6

SHA512
eab4eeef8914e0c7315f9d03826c9f862ec07adfed8675bb8d6b86efbe65e131749b0ac95b3601791baab41419e1378d3447c1b721d686b8a5f1fcc0f026580a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M8K3UBAWXA51G8WBHJK5.temp

Filesize
7KB

MD5
3d7edde0eace898be8c16c88226b6916

SHA1
4c8815725d166ae5c1036296b515dcb6ee43b924

SHA256
c1c5436b83429e0c3baa8c28e1de71ee41cab06470c254fa88445b1acad3f706

SHA512
4b5ca922b01624b81f8d51833c7d61f538f66183a47886750b70bc10f1446ce437a7807fb0e5b160dbb1930b57c2346758a81ba4d543dedd6a1eb6e8c41e5a23

Download Submit
C:\Users\Default\Documents\WMIADAP.exe

Filesize
1.7MB

MD5
0afddcff0221809d245d7a7cc566b8b9

SHA1
d951656051ead71dc0b4e937e90a6d631185730e

SHA256
b31009b850ffb782d8012af183b08afbf20974fa6bc6168f21f7d9f8d52fb00b

SHA512
3e94974e717c547adcfb88dace3408fc1713f740a8f79bb7082a7b72e2c0f6b43b6753cef77269dd8e601b5dd41eb85a987546d856fa842ebdc993ce2195f13b

Download Submit
memory/848-344-0x0000000000C50000-0x0000000000E10000-memory.dmp

Filesize
1.8MB

Download
memory/1724-319-0x0000000000380000-0x0000000000540000-memory.dmp

Filesize
1.8MB

Download
memory/2308-356-0x00000000000A0000-0x0000000000260000-memory.dmp

Filesize
1.8MB

Download
memory/2308-357-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2420-307-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2496-14-0x0000000000B30000-0x0000000000B3E000-memory.dmp

Filesize
56KB

Download
memory/2496-6-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/2496-167-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2496-192-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-17-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2496-216-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-16-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2496-1-0x00000000003D0000-0x0000000000590000-memory.dmp

Filesize
1.8MB

Download
memory/2496-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-3-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/2496-284-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-15-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2496-13-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/2496-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2496-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2496-12-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2496-11-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/2496-9-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2496-8-0x00000000008B0000-0x00000000008BC000-memory.dmp

Filesize
48KB

Download
memory/2496-5-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2496-19-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-7-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2540-295-0x0000000000F70000-0x0000000001130000-memory.dmp

Filesize
1.8MB

Download
memory/2616-260-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-259-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2708-332-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2708-331-0x0000000000960000-0x0000000000B20000-memory.dmp

Filesize
1.8MB

Download
memory/2716-283-0x0000000000AE0000-0x0000000000CA0000-memory.dmp

Filesize
1.8MB

Download
memory/2904-369-0x0000000001310000-0x00000000014D0000-memory.dmp

Filesize
1.8MB

Download