dcrat | 0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Size

1.7MB
MD5

72cb277e1913e5e5b20651f1f9f1af40
SHA1

11d7a90ee561e39807428267387ea6c6c434ee24
SHA256

0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81
SHA512

0838d7441404feae5e0fdb62153a1179e8fd8381aca61e49cc70adcfa657c2aedce031f1de34142ff52e48b9f016709f4cc8ccb2d8b949fc621c0a6402bd253d
SSDEEP

49152:/+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:STHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 25 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1332	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2744-1-0x0000000000BD0000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/files/0x000500000001a494-27.dat	dcrat
behavioral1/files/0x000a00000001a4c3-98.dat	dcrat
behavioral1/files/0x000700000001a494-109.dat	dcrat
behavioral1/files/0x000600000001a4af-131.dat	dcrat
behavioral1/memory/2092-216-0x0000000000D60000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2848-227-0x00000000010A0000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2984-239-0x0000000000160000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1088-252-0x0000000000CF0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/304-264-0x0000000001050000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2372-276-0x0000000000300000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1304-288-0x0000000000FB0000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/1804-300-0x00000000002B0000-0x0000000000470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1304	powershell.exe
1760	powershell.exe
2004	powershell.exe
2604	powershell.exe
1756	powershell.exe
2020	powershell.exe
1828	powershell.exe
1936	powershell.exe
1268	powershell.exe
2356	powershell.exe
764	powershell.exe
1244	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Executes dropped EXE 8 IoCs

pid	Process
2092	winlogon.exe
2848	winlogon.exe
2984	winlogon.exe
1088	winlogon.exe
304	winlogon.exe
2372	winlogon.exe
1304	winlogon.exe
1804	winlogon.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\69ddcba757bf72	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX3109.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX337B.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX33E9.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\RCX385F.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\Internet Explorer\en-US\f3b6ecef712a24	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\spoolsv.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\cc11b995f2a76d	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\RCX38CD.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\Internet Explorer\en-US\spoolsv.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\f3b6ecef712a24	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX2F04.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\spoolsv.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\spoolsv.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX2F05.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX3177.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
3000	schtasks.exe
2980	schtasks.exe
2788	schtasks.exe
1992	schtasks.exe
1632	schtasks.exe
2448	schtasks.exe
1804	schtasks.exe
992	schtasks.exe
588	schtasks.exe
2640	schtasks.exe
1796	schtasks.exe
2704	schtasks.exe
2852	schtasks.exe
2416	schtasks.exe
2180	schtasks.exe
2860	schtasks.exe
2708	schtasks.exe
1004	schtasks.exe
2632	schtasks.exe
316	schtasks.exe
2116	schtasks.exe
2452	schtasks.exe
1524	schtasks.exe
2996	schtasks.exe
776	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2004	powershell.exe
764	powershell.exe
1268	powershell.exe
2356	powershell.exe
1304	powershell.exe
1756	powershell.exe
2604	powershell.exe
2020	powershell.exe
1828	powershell.exe
1244	powershell.exe
1936	powershell.exe
1760	powershell.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe
2092	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2092	winlogon.exe
Token: SeDebugPrivilege	2848	winlogon.exe
Token: SeDebugPrivilege	2984	winlogon.exe
Token: SeDebugPrivilege	1088	winlogon.exe
Token: SeDebugPrivilege	304	winlogon.exe
Token: SeDebugPrivilege	2372	winlogon.exe
Token: SeDebugPrivilege	1304	winlogon.exe
Token: SeDebugPrivilege	1804	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2020	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	58
PID 2744 wrote to memory of 2020	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	58
PID 2744 wrote to memory of 2020	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	58
PID 2744 wrote to memory of 1304	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	59
PID 2744 wrote to memory of 1304	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	59
PID 2744 wrote to memory of 1304	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	59
PID 2744 wrote to memory of 1760	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	60
PID 2744 wrote to memory of 1760	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	60
PID 2744 wrote to memory of 1760	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	60
PID 2744 wrote to memory of 2004	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	61
PID 2744 wrote to memory of 2004	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	61
PID 2744 wrote to memory of 2004	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	61
PID 2744 wrote to memory of 1244	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	62
PID 2744 wrote to memory of 1244	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	62
PID 2744 wrote to memory of 1244	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	62
PID 2744 wrote to memory of 1828	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	63
PID 2744 wrote to memory of 1828	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	63
PID 2744 wrote to memory of 1828	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	63
PID 2744 wrote to memory of 1936	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	64
PID 2744 wrote to memory of 1936	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	64
PID 2744 wrote to memory of 1936	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	64
PID 2744 wrote to memory of 1268	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	65
PID 2744 wrote to memory of 1268	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	65
PID 2744 wrote to memory of 1268	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	65
PID 2744 wrote to memory of 2604	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	66
PID 2744 wrote to memory of 2604	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	66
PID 2744 wrote to memory of 2604	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	66
PID 2744 wrote to memory of 2356	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	67
PID 2744 wrote to memory of 2356	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	67
PID 2744 wrote to memory of 2356	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	67
PID 2744 wrote to memory of 1756	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	68
PID 2744 wrote to memory of 1756	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	68
PID 2744 wrote to memory of 1756	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	68
PID 2744 wrote to memory of 764	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	69
PID 2744 wrote to memory of 764	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	69
PID 2744 wrote to memory of 764	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	69
PID 2744 wrote to memory of 1688	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	76
PID 2744 wrote to memory of 1688	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	76
PID 2744 wrote to memory of 1688	2744	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	76
PID 1688 wrote to memory of 2632	1688	cmd.exe	84
PID 1688 wrote to memory of 2632	1688	cmd.exe	84
PID 1688 wrote to memory of 2632	1688	cmd.exe	84
PID 1688 wrote to memory of 2092	1688	cmd.exe	85
PID 1688 wrote to memory of 2092	1688	cmd.exe	85
PID 1688 wrote to memory of 2092	1688	cmd.exe	85
PID 2092 wrote to memory of 1928	2092	winlogon.exe	86
PID 2092 wrote to memory of 1928	2092	winlogon.exe	86
PID 2092 wrote to memory of 1928	2092	winlogon.exe	86
PID 2092 wrote to memory of 2584	2092	winlogon.exe	87
PID 2092 wrote to memory of 2584	2092	winlogon.exe	87
PID 2092 wrote to memory of 2584	2092	winlogon.exe	87
PID 1928 wrote to memory of 2848	1928	WScript.exe	88
PID 1928 wrote to memory of 2848	1928	WScript.exe	88
PID 1928 wrote to memory of 2848	1928	WScript.exe	88
PID 2848 wrote to memory of 1964	2848	winlogon.exe	89
PID 2848 wrote to memory of 1964	2848	winlogon.exe	89
PID 2848 wrote to memory of 1964	2848	winlogon.exe	89
PID 2848 wrote to memory of 2908	2848	winlogon.exe	90
PID 2848 wrote to memory of 2908	2848	winlogon.exe	90
PID 2848 wrote to memory of 2908	2848	winlogon.exe	90
PID 1964 wrote to memory of 2984	1964	WScript.exe	91
PID 1964 wrote to memory of 2984	1964	WScript.exe	91
PID 1964 wrote to memory of 2984	1964	WScript.exe	91
PID 2984 wrote to memory of 2232	2984	winlogon.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
"C:\Users\Admin\AppData\Local\Temp\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\faDLbbQ0dW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2632
- - C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
    "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e58c5d6-af8d-4e55-adfa-a0f1b319bc65.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98b29039-360c-4cbd-9af0-be038736ccc1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f6893d-a304-4332-a93f-a47bd996d5fc.vbs"
        8⤵
        
        PID:2232
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f4d0071-b337-4ec5-81d5-859a6ee761a5.vbs"
        10⤵
        
        PID:2876
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5380c45b-47a4-4c5b-a44a-44d897a291a6.vbs"
        12⤵
        
        PID:1968
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\669fe87a-a43a-4a8f-988b-43e8c44dec3c.vbs"
        14⤵
        
        PID:980
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52788b6a-e633-4f3c-b984-b928f4e543b4.vbs"
        16⤵
        
        PID:1132
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa4b80f-4940-4d19-8af0-a653382ba2f9.vbs"
        18⤵
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d575f4d8-aa07-48d6-9fed-b2c263832461.vbs"
        18⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f26b024b-1466-49cc-bc0f-72dd8b4ff70c.vbs"
        16⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c2f4df9-2183-43db-9dab-74d06137ac91.vbs"
        14⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32ecb0d3-ce50-4b64-930c-67f3cc180477.vbs"
        12⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46507297-f513-4210-80a5-f8ee8bbb762e.vbs"
        10⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f37e511b-d4d3-46c2-9105-19884a6fa8a3.vbs"
        8⤵
        
        PID:1652
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5a90db9-8fa2-4063-9993-504879db8b48.vbs"
        6⤵
        
        PID:2908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad75fb1f-c49d-4f86-b3f4-5d156994cb61.vbs"
      4⤵
      PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N0" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N" /sc ONLOGON /tr "'C:\MSOCache\All Users\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N0" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe

Filesize
1.7MB

MD5
28119a8abb8e2d1631b404940f957095

SHA1
78ea70d1b4fffa8898865eaf2827b069bb8e146f

SHA256
0cb5d9d62c2b3a449d4a5174d86146db0214a6d599e29393a4544ece6b29accb

SHA512
5698f65b7f4c2f7224ed6631e86608d12680c14f88940e090d938b41d206275f35b65f55ed5bbb0dbb1f4a55c12818cdc1eff59d849b9209dd03aaf0c786f670

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\spoolsv.exe

Filesize
1.7MB

MD5
fccfc9296fd979f8e176abafd48f8c06

SHA1
a35a1ffbc46e2d81c80cf757b3e3faa319c28932

SHA256
3bd2c372514e7142860000f45866ec08c80d85de62387652da172a9bad23dd45

SHA512
cd900da49c36fad74d6517f712f7478087e25e43bb5749da9c3ab072ca5e759f1d6efbbb88d3cdf545e40f89c999a68de2da6b34344a72e2293e4348e2712ae8

Download Submit
C:\Program Files\Internet Explorer\en-US\spoolsv.exe

Filesize
1.7MB

MD5
72cb277e1913e5e5b20651f1f9f1af40

SHA1
11d7a90ee561e39807428267387ea6c6c434ee24

SHA256
0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81

SHA512
0838d7441404feae5e0fdb62153a1179e8fd8381aca61e49cc70adcfa657c2aedce031f1de34142ff52e48b9f016709f4cc8ccb2d8b949fc621c0a6402bd253d

Download Submit
C:\Program Files\Internet Explorer\en-US\spoolsv.exe

Filesize
1.7MB

MD5
867122efcf7fed4145086a05cd76e9f8

SHA1
75e5a2829a4653fbcc7869f833a66d05a197ecb9

SHA256
81fc1b9695d6a803e29d53cf9d8b918aeb386da62801a29c6790c2843dea4221

SHA512
4c4c32ee28199cf1dcf5d4d0fe4522da7a40a7153b168dad4a9ecafee53656c130c6761323b8ca22f99b2613f3ca010fe34df41e8696600d6c4235c7e01d8e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\52788b6a-e633-4f3c-b984-b928f4e543b4.vbs

Filesize
736B

MD5
bc24d0c11b1e4d02a88cc750546a0e66

SHA1
df9bf6de17f1d7b98a6acf2db678569e97faa921

SHA256
50bea8e6cfe805c6de14ba1c1426e512fb3dd274dc7d49f91b092fe92faaae82

SHA512
9497ae3b6e9413933500ce6d606932a6d5274cf9baf2b104f57443292d2f9cadaf7cff92ed5200e292b061d01fa9b4ef03427f71e2ab466a6d152079643ae2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5380c45b-47a4-4c5b-a44a-44d897a291a6.vbs

Filesize
735B

MD5
bc48d236360c71407312310093db3cc9

SHA1
30c81d58b411259b1f6ca565f882a358484d8e84

SHA256
15e3953cd354502eaf3145d208bc58d8d1786f6064428520fb0128d32c07eaba

SHA512
ec5be552ee1a830147ea01636dec2d62e818a7f31cda983449a42a18dab345b23b33b552109391d980af36b8533c22b3a6598f542e85b2dcf8538d16cf05665e

Download Submit
C:\Users\Admin\AppData\Local\Temp\669fe87a-a43a-4a8f-988b-43e8c44dec3c.vbs

Filesize
736B

MD5
fdce714216ed40d0ae5c41a7079f4160

SHA1
d03d16e25f5699718a8c34f71ab6567d4140956b

SHA256
fe04fbe6ae3a06bc483e52881cf9e2b7c81469b29c740d3db1d64cc811378417

SHA512
3c6c8d2df902579c5ea017fc4b776ee8affa3c03a412c7ee0d2270f23aafdbc194940d4c8a84b2b6dbc14e1e534b384a06bf38fe9df2d2069de7c063b9799dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f4d0071-b337-4ec5-81d5-859a6ee761a5.vbs

Filesize
736B

MD5
ea4feb7710f8974654bd723a3ae191ef

SHA1
ba07665cc6c04de156125f1a75cb3cb6f12d490d

SHA256
4b3c693b3abedc0089d6da664fe1039b92c020100decd84a86fc71f62e4cd504

SHA512
9727b7be00d7ff49ae8723f72c91d1dae0c6293f1420f0b4b6ea3ebf599d9711822366831fa1d3b2050a854982e72612b296bf13bf2772748d8c2b5994832d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\73d1dd182d7ddffa673de4e9862a4c6d52191f71.exe

Filesize
1.7MB

MD5
56c7457839963ba9289a7d70736bc43a

SHA1
1d18aa27a4c13598cfa7ea87f1f0843b92ee45e2

SHA256
9897cb8d2cec486778e097653d7d42178d973e8c0499205710179f67355717ec

SHA512
f40e2b80a5a9376ff1abb5111befc0bed95b580f41b9bc0b4fc5b1d256ec1df6cab10a57ddd970a51481c56989269809b2f271884599c82b0c87e198eeae7afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e58c5d6-af8d-4e55-adfa-a0f1b319bc65.vbs

Filesize
736B

MD5
b99c490fe0ac3967794dd7f8b1c85417

SHA1
5df0c54545c40ee199845f042b5022d36affe7a9

SHA256
a97145896d3544256d42834720f840ce31efb30f262b4a453b726d1791572c2d

SHA512
e32ab92467ec4620fb7974e8ee1d14e3113bb4ec4bcb946b11071c404d77ecc13d52edbba9b4d9a4143596d916ca53409834fc765f24b9406a5e32d31e8cf0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\98b29039-360c-4cbd-9af0-be038736ccc1.vbs

Filesize
736B

MD5
f0c157bf0a12a5c9efa293f6c57291ad

SHA1
86511f4dcd4e8b6495abffecd01bc3eb49f29c54

SHA256
32cbb33445f1c5b21995a2e1655f3f97200f8476b76f4df28e2c7a3932fc6862

SHA512
aa742991bb959fd5af7c92fac47bfbb294e5dca9aeface1c3f56349a1f34c353ad2b4b64defec325750b0acf2daed998ca141b4995eefba3a198ec448d4e187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3f6893d-a304-4332-a93f-a47bd996d5fc.vbs

Filesize
736B

MD5
b7b3e2e43fc7c23a3279d10173f3eb17

SHA1
6782c593cbf570a77a0c6a23b58db555ca5f25a4

SHA256
3856127c2158427a48284a5ba287e660c7f79f304cd7a4db974a0e8dbf1be00c

SHA512
773257fd9a4f5a20e3bcb3c6c022d040f8eee4f7eeb217fd2f767e11f90b5de962ab727324532d443757cea61b3f366a5fb47a4ea5882072ba58e3e5000bf1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad75fb1f-c49d-4f86-b3f4-5d156994cb61.vbs

Filesize
512B

MD5
dd49c5c00bbdaca9781ccf7f15c85ad2

SHA1
2e48dc454eaf6d1a54a9bdf0682f17e3db674065

SHA256
50f9310584872b20d58802364be4365ef2ff0e52b7c81746968897ddcf312a42

SHA512
2ba50cf44705cdeee8f1db9a67f3193272f73d7a07b0b90ff42b30e3ea74458ad811eec3584754177558dbc5fcfbbc872176030052a9c2108f23024e364fa70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\caa4b80f-4940-4d19-8af0-a653382ba2f9.vbs

Filesize
736B

MD5
8d0baa9b82e6d723542abf4c9b06441c

SHA1
370f5dde048cac97a821c3f5488cf989392411db

SHA256
513599a8d5bb34ba0958c7b997fcf9099d859e2e0847e6d428a93e225dce9f13

SHA512
939e2bd4f01fc2a93f4338122c6888f5e1bf055db5e0743c6f0e744bcdf9f04baf3c2a443599e52b2624ba73ff240fb20f958e9e170f23e5b42cbc604ea4e416

Download Submit
C:\Users\Admin\AppData\Local\Temp\faDLbbQ0dW.bat

Filesize
225B

MD5
2758deea47108f8ff95ece99a434d9e6

SHA1
efc8702524178fd1a936b7504d1d4cc70e6508f8

SHA256
5a0a61d640182c949e64d05f55ec02a3481eafee2e97035e8fb9c5a6fa50e221

SHA512
a763ac8c1b345c9af6b8a8e19939bb5938ef4db7d96876314de071739986e5eebe521e490e2b689a00c4feed4390eba90cc54a422651b4d53cbe363082904a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b179f46eed20d3022b7fa4e8885e0bc

SHA1
86991b4d9f518c6938becf2357349b802ecaed05

SHA256
5a549b3706d9c84cdac3fcb519d50cb7075972c091aa4ee320afc8e93fcfb98b

SHA512
9d4732fdccfdb0bc8302ce36fdff62899c45d236338265e0359c27070922aed1d7bdc2cd7f47f1d0c94061d73537dd5fc98528ab56d08bb9d8beb28731de08c2

Download Submit
memory/304-264-0x0000000001050000-0x0000000001210000-memory.dmp

Filesize
1.8MB

Download
memory/1088-252-0x0000000000CF0000-0x0000000000EB0000-memory.dmp

Filesize
1.8MB

Download
memory/1304-288-0x0000000000FB0000-0x0000000001170000-memory.dmp

Filesize
1.8MB

Download
memory/1804-300-0x00000000002B0000-0x0000000000470000-memory.dmp

Filesize
1.8MB

Download
memory/1804-301-0x00000000021E0000-0x00000000021F2000-memory.dmp

Filesize
72KB

Download
memory/2004-162-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2004-160-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2092-216-0x0000000000D60000-0x0000000000F20000-memory.dmp

Filesize
1.8MB

Download
memory/2372-276-0x0000000000300000-0x00000000004C0000-memory.dmp

Filesize
1.8MB

Download
memory/2744-12-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2744-0-0x000007FEF5963000-0x000007FEF5964000-memory.dmp

Filesize
4KB

Download
memory/2744-18-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-17-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/2744-15-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2744-1-0x0000000000BD0000-0x0000000000D90000-memory.dmp

Filesize
1.8MB

Download
memory/2744-16-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/2744-2-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2744-13-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/2744-14-0x0000000002210000-0x000000000221E000-memory.dmp

Filesize
56KB

Download
memory/2744-167-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-11-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2744-9-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2744-8-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2744-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2744-7-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2744-4-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2744-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2848-227-0x00000000010A0000-0x0000000001260000-memory.dmp

Filesize
1.8MB

Download
memory/2984-240-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/2984-239-0x0000000000160000-0x0000000000320000-memory.dmp

Filesize
1.8MB

Download